Qhov teeb meem tseem ceeb tau raug txheeb xyuas nyob rau hauv Cloudflare's cdnjs cov ntsiab lus xa tawm network, uas yog tsim los ua kom nrawm xa cov tsev qiv ntawv JavaScript, tso cai rau kev ua txhaum cai ntawm CDN servers. Qhov txaus ntshai ntawm qhov teeb meem yog qhov hnyav dua los ntawm qhov tseeb tias kwv yees li 12.7% ntawm txhua qhov chaw hauv Is Taws Nem siv cov kev pabcuam rub tawm JavaScript cov tsev qiv ntawv, thiab kev cuam tshuam ntawm cov txheej txheem ua rau nws tuaj yeem hloov cov tsev qiv ntawv los ntawm ib qho ntawm cov chaw no.
Cov kev pabcuam cdnjs rub tawm cov pob khoom los ntawm Git lossis NPM cov chaw cia khoom, tom qab ntawd nws tso cai rau txhua qhov chaw siv Cloudflare cov ntsiab lus xa tawm dawb los ua kom nrawm nrawm ntawm cov tsev qiv ntawv JavaScript. Thaum kawm txog cov cai ntawm cdnjs cov khoom lag luam luam tawm ntawm GitHub, nws tau tshaj tawm tias kom tshem tawm cov pob NPM hauv tgz archives, tus qauv archive / tar module hauv Go lus yog siv, uas tsim cov npe ntawm cov ntaub ntawv raws li yog, yam tsis muaj kev ua haujlwm zoo. . Nyob rau hauv rooj plaub thaum tsab ntawv unpacks cov ntsiab lus raws li cov npe muab, lub xub ntiag nyob rau hauv lub archive ntawm cov ntaub ntawv xws li "../../../../../../../tmp/test" tuaj yeem ua rau overwriting arbitrary cov ntaub ntawv nyob rau hauv lub system, kom deb li deb raws li txoj cai kev tso cai.
Nws tau hais tias tus neeg tawm tsam tuaj yeem thov ntxiv nws lub tsev qiv ntawv rau CDnjs thiab xa cov ntaub ntawv tsim tshwj xeeb uas muaj cov ntaub ntawv nrog "../" cov cim hauv txoj hauv kev mus rau NPM repository. Ntawm cdnjs servers, kev ua haujlwm "autoupdate" ua ntu zus, thaum lub sijhawm tus neeg ua haujlwm rub tawm cov ntawv tshiab ntawm lub tsev qiv ntawv tau thov thiab tshem tawm cov ntsiab lus. Siv cov ntaub ntawv nrog txoj hauv kev "../", tus neeg tawm tsam tuaj yeem sau cov ntaub ntawv nrog cov ntawv pabcuam thiab ua tiav lawv cov lej ntawm lub server uas tau ua tiav.
Nyob rau hauv rooj plaub ntawm rub tawm cov hloov tshiab los ntawm Git, nws tau pom tias tus neeg tuav ntaub ntawv rub tawm qhov hloov tshiab tsis suav nrog cov cim txuas thaum luam cov ntaub ntawv los ntawm Git. Qhov no ua rau nws muaj peev xwm los npaj cov kev nyeem ntawv ntawm cov neeg rau zaub mov los ntawm kev ntxiv cov cim txuas rau Git.
Nws tau txiav txim siab pib qhov kev sim nrog kev ua qauv qhia ntawm kev nyiag nkas cdnjs kom tau txais khoom plig ntawm HackerOne los ntawm kev sim qhov kev xav txog kev nyeem cov ntaub ntawv. Ib lub cim txuas test.js tau ntxiv rau Git repository ntawm lub tsev qiv ntawv JavaScript tau txais los ntawm CDN, taw rau /proc/self/maps file. Tom qab tshaj tawm cov ntawv tshiab ntawm lub tsev qiv ntawv, tus neeg ua haujlwm hloov tshiab tau ua tiav qhov chaw khaws cia no thiab luam tawm cov ntaub ntawv teev tseg hauv CDnjs (test.js tau tsim los ua cov cim txuas thiab thaum thov cov ntaub ntawv no, cov ntsiab lus ntawm /proc/self/maps raug xa rov qab. ).
Hloov cov cim txuas rau cov ntaub ntawv /proc/self/environ, tus sau ntawm txoj kev tshawb fawb pom tias cov ntaub ntawv muab muaj cov txiaj ntsig ntawm ib puag ncig hloov pauv GITHUB_REPO_API_KEY thiab WORKERS_KV_API_TOKEN. Thawj qhov sib txawv tau khaws cia tus yuam sij API rau kev sau ntawv nkag mus rau robocdnjs chaw cia khoom ntawm GitHub. Qhov sib txawv thib ob khaws cov token rau KV cia hauv cdnjs. Siv cov ntaub ntawv tau txais, tus neeg tawm tsam tuaj yeem hloov pauv rau cdnjs thiab cuam tshuam tag nrho cov txheej txheem.
Tau qhov twg los: opennet.ru