A critical vulnerability has been identified in Cloudflare's cdnjs content delivery network, which is designed to speed up the delivery of JavaScript libraries, allowing arbitrary code execution on CDN servers. The danger of the problem is aggravated by the fact that about 12.7% of all sites on the Internet use the service to download JavaScript libraries, and compromise of the infrastructure makes it possible to replace the libraries provided by any of these sites.
The cdnjs service downloads packages from Git or an NPM repository, after which it allows any site to use the Cloudflare content delivery network for free to speed up the loading of JavaScript libraries. When studying the code of cdnjs components published on GitHub, it was revealed that to unpack NPM packages in tgz archives, the standard archive/tar module in the Go language is used, which produces a list of files as is, without path normalization. In the case when the script unpacks the contents based on the given list, the presence in the archive of files like β../../../../../../../tmp/testβ can lead to overwriting arbitrary files in system, as far as access rights allow.
It was suggested that an attacker could apply to add his library to cdnjs and upload a specially designed archive containing files with β../β characters in the path to the NPM repository. On cdnjs servers, an "autoupdate" operation is periodically performed, during which the handler downloads new versions of the proposed library and unpacks the contents. Using files with paths β../β, an attacker can overwrite files with service scripts and execute their code on the server on which the unpacking was performed.
In the case of downloading updates from Git, it was discovered that the handler downloading the updates did not take into account symbolic links when copying files from Git. This feature made it possible to organize the reading of any files from the server by adding symbolic links to Git.
It was decided to start experiments with a demonstration of hacking cdnjs to receive a prize at HackerOne by testing the hypothesis regarding file reading. A symbolic link test.js has been added to the Git repository of the JavaScript library served via CDN, pointing to the /proc/self/maps file. After publishing a new version of the library, the update handler processed this repository and published the specified file in cdnjs (test.js was created as a symbolic link and when this file was requested, the contents of /proc/self/maps were returned).
Substituting a symbolic link to the file /proc/self/environ, the author of the study noticed that the given data contained the values ββof the environment variables GITHUB_REPO_API_KEY and WORKERS_KV_API_TOKEN. The first variable stored the API key for write access to the robocdnjs repository on GitHub. The second variable stored the token to the KV storage in cdnjs. Using the information received, the attacker could make changes to cdnjs and completely compromise the infrastructure.
Source: opennet.ru