Description
name of affected products
SaToken
affected version:
version <= 1.3.50RC
fixed version
version = 1.36.0
description
SaToken and Spring's differential handling of URIs raises authorization bypass vulnerabilities
The steps to reproduce(复现步骤):
First register the user, the permission is:user
@Component
public class StpInterfaceImpl implements StpInterface {
@Override
public List<String> getPermissionList(Object loginId, String loginType) {
List<String> list = new ArrayList<String>();
list.add("user");
return list;
}
}
Register an interceptor whose interception address is:/admin/password,Need permission:admin
@Configuration
public class SaTokenConfigure implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new SaInterceptor(handler -> {
SaRouter
.match("/**")
.notMatch("/user/doLogin")
.check(r -> StpUtil.checkLogin());
SaRouter.match("/admin/password", r -> StpUtil.checkPermission("admin"));
})).addPathPatterns("/**");
}
}
Then write a login interface, an admin interface, the interface address is:/admin/password
@RestController
public class UserController {
// Test login, browser access: http://localhost:8081/user/doLogin?username=zhang&password=123456
@RequestMapping("/user/doLogin")
public String doLogin(String username, String password) {
if("zhang".equals(username) && "123456".equals(password)) {
StpUtil.login(10001);
return "success";
}
return "fail";
}
@RequestMapping("/admin/password")
public String getPassword() {
return "flag{m4ra7h0n}";
}
}
root cause
The root cause is overstepping the bounds of differentiating uri processing with SaToken and spring
When configured, the path to restrict permissions is' /admin/password ', we access '/admin/password/', AntPathMatcher matches' /admin/password 'and' /admin/password/ 'to false, Bypass permission verification.
At the same time, spring handles the last '/' when dealing with path matching, we access '/admin/password' or '/admin/password/', and can get related resources.
This vulnerability can be found in CVE-2020-1957
根本原因在于利用SaToken和spring对uri处理的差异化进行越权
配置的时候限制权限的路径为/admin/password,我们访问的是/admin/password/,AntPathMatcher匹配/admin/password和/admin/password/为false,绕过权限验证。
同时spring对于处理路径匹配的时候处理了最后面的/,我们访问/admin/password或者/admin/password/,都可获取相关资源。
此漏洞可参考CVE-2020-1957

