?

?

#攻擊標(biāo)題：uWSGI PHP Plugin目錄遍歷

#日期：2018年3月1日

#開(kāi)發(fā)作者：Marios Nicolaides-RUNESEC

#評(píng)審人：西蒙·洛伊齊德斯和尼古拉斯·馬基塔尼斯-魯內(nèi)塞克

#供應(yīng)商主頁(yè)：https://uwsgi-docs.readthedocs.io

#受影響的軟件：2.0.17之前的uWSGI PHP Plugin

#測(cè)試依據(jù)：uWSGI 2.0.12和2.0.15

#公司代碼：CVE-2018-7490

#類(lèi)別：Web應(yīng)用程序

概述

--------

在沒(méi)有指定“PHP allowed docroot”選項(xiàng)的情況下，2.0.17之前的uWSGI PHP插件容易被目錄遍歷。

該漏洞是由于請(qǐng)求通過(guò)“php docroot”指定的DOCUMENT_ROOT目錄下的資源時(shí)對(duì)文件路徑的驗(yàn)證不正確造成的。

遠(yuǎn)程攻擊者可以利用此漏洞，使用路徑遍歷序列（“..%2f”）從易受攻擊的系統(tǒng)中讀取任意文件。

這在uWSGI 2.0.12和2.0.15上進(jìn)行了測(cè)試。2.0.17之前的所有版本都會(huì)受到影響。

細(xì)節(jié)

-------

uWSGI的文檔指出，phpdocroot選項(xiàng)用于將我們的php環(huán)境囚禁在一個(gè)項(xiàng)目目錄中(http://uwsgi docs.readthedocs.io/en/latest/PHP.html\run-php-apps-without-a-frontend-server）。

；將我們的php環(huán)境囚禁在project_dir中

php docroot=%（項(xiàng)目目錄）

在測(cè)試過(guò)程中，觀察到uWSGI在作為獨(dú)立（沒(méi)有前端web服務(wù)器）執(zhí)行時(shí)受到目錄遍歷漏洞的影響，同時(shí)使用“php docroot”選項(xiàng)來(lái)強(qiáng)制web應(yīng)用程序的DOCUMENT_ROOT。

uwsgi--http套接字：1337--protocol=http--plugin php--php索引索引.php--php docroot/home/testing/webapp/

攻擊者可以通過(guò)使用路徑遍歷序列（“…%2f”）訪(fǎng)問(wèn)敏感信息來(lái)攻擊此漏洞，如下所示：

http://example.runesec.com%2f….%2f….%2f….%2f/

我們注意到，當(dāng)執(zhí)行目錄遍歷攻擊時(shí)，uWSGI發(fā)出以下安全錯(cuò)誤：

[uwsgi fileserve]安全錯(cuò)誤：/etc/passwd不在/home/testing/webapp下或安全路徑下

但是，請(qǐng)求文件的內(nèi)容（即/etc/passwd）仍然返回給用戶(hù)。

在搜索了web上可能的解決方案之后，我們注意到“php-allowed-docroot”選項(xiàng)以前被添加到uWSGI中，以獲得更好的安全性，并且可以用來(lái)列出允許的文檔根，但是沒(méi)有進(jìn)一步的細(xì)節(jié)(http://lists.unbit.it/pipermail/uwsgi/2011-December/003180.html).

在進(jìn)一步的測(cè)試中，我們發(fā)現(xiàn)當(dāng)使用“php allowed docroot”而不是“php docroot”選項(xiàng)時(shí)，它不受目錄遍歷攻擊的影響。

uwsgi--http套接字：1337--protocol=http--plugin php--php索引索引.php--允許的根目錄/php/webapp測(cè)試/

在與uWSGI項(xiàng)目進(jìn)行了一次非常有建設(shè)性和有幫助的談話(huà)之后，他們發(fā)布了一個(gè)更新，在使用“php docroot”選項(xiàng)來(lái)防止目錄遍歷攻擊時(shí)，強(qiáng)制執(zhí)行文檔根檢查。請(qǐng)參閱緩解部分了解更多信息。

影響

------

攻擊者可以利用此漏洞獲取對(duì)位于web根目錄之外的敏感文件的未經(jīng)授權(quán)的讀取權(quán)限。

緩解

----------

建議更新至uWSGI 2.0.17-https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html

參考文獻(xiàn)

----------

https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/

https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html

https://cve.mitre.org/cgi-bin/cvename.cgi？名稱(chēng)=CVE-2018-7490

https://nvd.nist.gov/vuln/detail/CVE-2018-7490

https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_（OTG-AUTHZ-001）

時(shí)間軸

--------

2017年6月26日-uWSGI項(xiàng)目告知了該問(wèn)題

2018年2月26日-uWSGI項(xiàng)目發(fā)布了一個(gè)補(bǔ)丁

2018年3月1日-公開(kāi)披露

?

phpinfo? ?

Server API?

uWSGI

可能會(huì)存在。此漏洞

?

https://www.exploit-db.com/exploits/44223

?

?

# Exploit Title: uWSGI PHP Plugin Directory Traversal # Date: 01-03-2018 # Exploit Author: Marios Nicolaides - RUNESEC # Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC # Vendor Homepage: https://uwsgi-docs.readthedocs.io # Affected Software: uWSGI PHP Plugin before 2.0.17 # Tested on: uWSGI 2.0.12 and 2.0.15 # CVE: CVE-2018-7490 # Category: Web ApplicationOVERVIEW -------- The uWSGI PHP plugin before 2.0.17 is vulnerable to Directory Traversal when used without specifying the "php-allowed-docroot" option.The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via "php-docroot".A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences ("..%2f").This was tested on uWSGI 2.0.12 and 2.0.15. All versions before 2.0.17 are affected.DETAILS ------- The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (http://uwsgi-docs.readthedocs.io/en/latest/PHP.html#run-php-apps-without-a-frontend-server).; jail our php environment to project_dirphp-docroot = %(project_dir)During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the "php-docroot" option to enforce the DOCUMENT_ROOT of the web application.uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/An attacker could exploit this vulnerability by using path traversal sequences ("..%2f") to access sensitive information as demonstrated below:http://example.runesec.com:1337/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwdWe noticed that when a Directory Traversal attack was performed, uWSGI was issuing the following security error:[uwsgi-fileserve] security error: /etc/passwd is not under /home/testing/webapp or a safe pathHowever, the contents of the requested file (i.e., /etc/passwd) were still returned to the user.After searching the web for possible solutions, we noticed that the "php-allowed-docroot" option was previously added to uWSGI for better security and could be used to list the allowed document roots but no further details were available (http://lists.unbit.it/pipermail/uwsgi/2011-December/003180.html).Upon further testing, we observed that when the "php-allowed-docroot" was used instead of the "php-docroot" option, it was not affected by Directory Traversal attacks.uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-allowed-docroot /home/testing/webapp/After a very constructive and helpful talk with the uWSGI Project, they released an update which enforces a DOCUMENT_ROOT check when using the "php-docroot" option to prevent Directory Traversal attacks. Please see the MITIGATION section for more information.IMPACT ------ An attacker could exploit this vulnerability to gain unauthorized read access to sensitive files located outside of the web root directory.MITIGATION ---------- It is recommended to update to uWSGI 2.0.17 - https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.htmlREFERENCES ---------- https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/ https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490 https://nvd.nist.gov/vuln/detail/CVE-2018-7490 https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)TIMELINE -------- 26 June 2017 - uWSGI Project informed about the issue 26 February 2018 - uWSGI Project released a patch 1 March 2018 - Exploit publicly disclosed

總結(jié)

以上是生活随笔為你收集整理的CVE-2018-7490 uWSGI PHP Plugin目录遍历的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。