You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Vulnerability description]
The Remote Code Execution (RCE) vulnerability exists in ujcms v6.0.2, when the project is partially configured on Linux using Tomcat, attackers can use path traversal and arbitrary file uploads to execute arbitrary code.
[Vulnerability proof]
The code restricts the access and execution of jsp and jspx files, but it exists in any path and any file upload, so you can upload a web.xml file and add a jsp resolvable suffix, such as abc
Condition: It needs to be deployed with tomcat on Linux, and the configuration file cannot be overwritten on Windows, and File.renameTo is used
Upload web.xml
Download an initial configuration file web.xml of tomcat, and add the above configuration in the following location
Upload the web.xml file to the uploads directory first, and use the path id to indicate it when uploading, and the path cannot be traversed
Rename, the capture package can traverse the path at the file name, and overwrite the original web.xml
Upload the Trojan horse
Upload a Trojan horse and execute the ping command. At this time, the uploaded suffix cannot be the custom analytical suffix above. You can upload any suffix and rename it later, otherwise the upload will not succeed
The upload suffix is abc1
Renamed to ../../123.abc, the path traverses to the root directory
Visit 123.abc and successfully trigger rce
[Code Details]
Upload
Track the rename interface, find that the parameters are being passed to doUpload, and verify the suffix at the upload
com.ujcms.cms.core.web.backendapi.AbstractUploadController#doUpload
The suffix can be uploaded without any problem.
Rename
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#rename is the same as upload, it has checkName to verify the file name, enter here to view the code
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String) Check the file name, when both meet
(1) The file name is empty
(2) The file name contains illegal characters
an exception is thrown, but the first condition is always false, and the conditions cannot be met at the same time, so this verification will always be bypassed, so it can be executed, and then any file can be renamed and uploaded.
So there is a problem with the judgment logic here, it should be || instead of &&, which leads to the failure of the security check in this place. Of course, this is also the reason why it can be used successfully.
After passing the verification of this block, use File.renameTo in com.ujcms.util.file.LocalFileHandler#rename to rename the file.
renameTo cannot overwrite files in Windows, but can overwrite and create directories in Linux, so this vulnerability can only be exploited in Linux.
The text was updated successfully, but these errors were encountered:
[Vulnerability description]
The Remote Code Execution (RCE) vulnerability exists in ujcms v6.0.2, when the project is partially configured on Linux using Tomcat, attackers can use path traversal and arbitrary file uploads to execute arbitrary code.
[Vulnerability Type]
Remote Code Execution (RCE)
[Vendor of Product]
https://gitee.com/ujcms/ujcms
https://github.com/ujcms/ujcms
https://www.ujcms.com/
[Affected Product Code Base]
v6.0.2
[Vulnerability proof]
The code restricts the access and execution of jsp and jspx files, but it exists in any path and any file upload, so you can upload a web.xml file and add a jsp resolvable suffix, such as abc
Condition: It needs to be deployed with tomcat on Linux, and the configuration file cannot be overwritten on Windows, and File.renameTo is used
Upload web.xml
Download an initial configuration file web.xml of tomcat, and add the above configuration in the following location
Upload the web.xml file to the uploads directory first, and use the path id to indicate it when uploading, and the path cannot be traversed
Rename, the capture package can traverse the path at the file name, and overwrite the original web.xml
Upload the Trojan horse
Upload a Trojan horse and execute the ping command. At this time, the uploaded suffix cannot be the custom analytical suffix above. You can upload any suffix and rename it later, otherwise the upload will not succeed
The upload suffix is abc1
Renamed to ../../123.abc, the path traverses to the root directory
Visit 123.abc and successfully trigger rce
[Code Details]
Upload
Track the rename interface, find that the parameters are being passed to doUpload, and verify the suffix at the upload
com.ujcms.cms.core.web.backendapi.AbstractUploadController#doUpload
The suffix can be uploaded without any problem.
Rename
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#rename is the same as upload, it has checkName to verify the file name, enter here to view the code
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String) Check the file name, when both meet
(1) The file name is empty
(2) The file name contains illegal characters
an exception is thrown, but the first condition is always false, and the conditions cannot be met at the same time, so this verification will always be bypassed, so it can be executed, and then any file can be renamed and uploaded.
So there is a problem with the judgment logic here, it should be || instead of &&, which leads to the failure of the security check in this place. Of course, this is also the reason why it can be used successfully.
After passing the verification of this block, use File.renameTo in com.ujcms.util.file.LocalFileHandler#rename to rename the file.
renameTo cannot overwrite files in Windows, but can overwrite and create directories in Linux, so this vulnerability can only be exploited in Linux.
The text was updated successfully, but these errors were encountered: