Skip to content

SaToken and Spring's differential handling of URIs raises authorization bypass vulnerabilities (SaToken和Spring对uri处理的差异化引发的越权漏洞) #511

Closed
@m4ra7h0n

Description

@m4ra7h0n

name of affected products

SaToken

affected version:

version <= 1.3.50RC

fixed version

version = 1.36.0

description

SaToken and Spring's differential handling of URIs raises authorization bypass vulnerabilities

The steps to reproduce(复现步骤):

First register the user, the permission is:user

@Component
public class StpInterfaceImpl implements StpInterface {
    @Override
    public List<String> getPermissionList(Object loginId, String loginType) {
        List<String> list = new ArrayList<String>();
        list.add("user");
        return list;
    }
}

Register an interceptor whose interception address is:/admin/password,Need permission:admin

@Configuration
public class SaTokenConfigure implements WebMvcConfigurer {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new SaInterceptor(handler -> {
            SaRouter
                .match("/**")
                .notMatch("/user/doLogin")
                .check(r -> StpUtil.checkLogin());

            SaRouter.match("/admin/password", r -> StpUtil.checkPermission("admin"));
        })).addPathPatterns("/**");
    }
}

Then write a login interface, an admin interface, the interface address is:/admin/password

@RestController
public class UserController {
    // Test login, browser access: http://localhost:8081/user/doLogin?username=zhang&password=123456
    @RequestMapping("/user/doLogin")
    public String doLogin(String username, String password) {
        if("zhang".equals(username) && "123456".equals(password)) {
            StpUtil.login(10001);
            return "success";
        }
        return "fail";
    }

    @RequestMapping("/admin/password")
    public String getPassword() {
        return "flag{m4ra7h0n}";
    }
}

Login first
image

Then access: /admin/password/
image

root cause

The root cause is overstepping the bounds of differentiating uri processing with SaToken and spring
When configured, the path to restrict permissions is' /admin/password ', we access '/admin/password/', AntPathMatcher matches' /admin/password 'and' /admin/password/ 'to false, Bypass permission verification.
At the same time, spring handles the last '/' when dealing with path matching, we access '/admin/password' or '/admin/password/', and can get related resources.
This vulnerability can be found in CVE-2020-1957

根本原因在于利用SaToken和spring对uri处理的差异化进行越权
配置的时候限制权限的路径为/admin/password,我们访问的是/admin/password/,AntPathMatcher匹配/admin/password/admin/password/为false,绕过权限验证。
同时spring对于处理路径匹配的时候处理了最后面的/,我们访问/admin/password或者/admin/password/,都可获取相关资源。
此漏洞可参考CVE-2020-1957

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions