Shulou(Shulou.com)05/31 Report--

This article introduces the example analysis of Apache Shiro permission bypass vulnerability CVE-2020-13933, the content is very detailed, interested friends can refer to, hope to be helpful to you.

1. Vulnerability Analysis 1.1 introduction of Apache Shiro components

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, password, and session management. With Shiro's easy-to-understand API, you can quickly and easily access any application, from the smallest mobile application to the largest network and enterprise application. Built-in Realm that can connect to a large number of secure data sources (also known as directories), such as LDAP, relational database (JDBC), INI-like text configuration resources, and property files.

1.2 vulnerability description

Apache Shiro's CVE-2020-11989 patch is still flawed, and because there are still differences between shiro and spring in handling url, by constructing a special HTTP request, you can once again bypass authorization and access unauthorized information.

1.3 vulnerability analysis

Using Apache Shiro 1.5.3 for analysis, first through patch comparison, comparing version 1.6.0 with version 1.5.3, you can find that the latest version adds an InvalidRequestFilter class that globally filters semicolon, backslash and non-ASCII characters.

According to the description of the vulnerability, it can be found that the vulnerability is mainly due to the difference in the handling of url between shiro and spring, so go directly to see the difference between them. The processing method for URL from breakpoint to shiro is as follows:

First get the decoded url, then take out the path, and finally return the path before the semicolon. The removeSemicolon function is as follows:

Later, the last / of the processed url is removed and matched, in which you only need to set a weak match that uses a single * for authorization matching, and pass in the constructed payload to make it mismatch.

Let's take a look at spring's treatment of url, using the getRequestURI method to first get the original url, and then remove the semicolon directly.

At this point, you can compare the difference between shiro and spring and construct payload to bypass authorization.

1.4 recurrence of vulnerabilities

Build the Apache Shiro 1.5.3 vulnerability environment, use the constructed payload to attack, and finally bypass authorization to access unauthorized resources. The effect is as shown below:

II. Scope of influence

Currently affected Apache Shiro version: Apache Shiro < 1.6.0

Solution 3.1 repair proposal

The latest version of Apache Shiro has fixed this vulnerability. Users affected by the vulnerability should download the latest version. Download link: http://shiro.apache.org/download.html

3.2 interim solution

Try to avoid using single * ant matching when using shiro authorization. You can try to change the matching method in the following figure to map.put ("hello/**", "authc")

This is the end of the example analysis of Apache Shiro permission bypass vulnerability CVE-2020-13933. I hope the above content can be helpful to everyone and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.