Shulou(Shulou.com)05/31 Report--

Apache Shiro authentication bypass vulnerability CVE-2020-17523 how to analyze, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

0x01 vulnerability description

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, password, and session management. With Shiro's easy-to-understand API, you can quickly and easily access any application, from the smallest mobile application to the largest network and enterprise application.

When it is used in conjunction with Spring, under certain permission matching rules, an attacker can complete authentication bypass by constructing a special HTTP request packet.

Scope of influence: Apache Shiro

< 1.7.1 0x02 漏洞环境搭建 shiro 1.7.0 https://github.com/jweny/shiro-cve-2020-17523两种姿势的漏洞环境均已更新。 0x03 poc测试 姿势一： http://127.0.0.1:8080/admin/%20或 http://127.0.0.1:8080/admin/%20/ 使用空格等空字符，可绕过shiro身份验证。 姿势二： 经过和p0desta师傅交流，发现还有另一种特殊场景下的利用方式。 http://127.0.0.1:8080/admin/%2e或 http://127.0.0.1:8080/admin/%2e/ 但是.（还有/）在Spring的路径匹配的规则中是代表路径分隔符的，不作为普通字符进行匹配。因此在默认条件下访问/admin/.会返回404。 但是在开启全路径的场景下setAlwaysUseFullPath(true)是可以正常匹配的。 0x04 漏洞分析 Shiro中对于URL的获取及匹配在org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver#getChain 先简单看下这个getChain方法： 该方法先检查requestURI是否以/结尾，如果是，就删掉最后一个/。 然后在匹配路径的循环中，会先判断下路径规则pathPattern是否以/结尾，如果是也会删除。然后再去调用pathMatches()方法进行路径匹配。 因此两种利用方式中，是否以/结尾都没有关系，因为开始经过getChain方法就会被删除。 4.1 空格绕过分析 关注下pathMatches()方法： 调出Evaluate，分别计算一下pathMatches（"/admin/*","/admin/1"）和pathMatches（"/admin/*","/admin/ "），前者正常匹配，后者匹配失败。 开始调试，调试开始会经过一阵漫长的F7。一直到doMatch("/admin/*","/admin/ ")。可见，tokenizeToStringArray返回的pathDirs已经没有第二层路径了。因此会导致/admin/*和/admin不匹配。 跟一下tokenizeToStringArray方法，发现其调用tokenizeToStringArray方法时的trimTokens参数为true。 而tokenizeToStringArray方法，在参数trimTokens为true时，会经过trim()处理，因此导致空格被清除。再次返回getChain时最后一个/被删除。因此tokenizeToStringArray返回的pathDirs没有第二层路径。 总结一下：存在漏洞的shiro版本，由于调用tokenizeToStringArray方法时，trimTokens参数默认为true，空格会经过trim()处理，因此导致空格被清除。再次返回getChain时最后一个/被删除，所以/admin与/admin/*匹配失败，导致鉴权绕过。而Spring接受到的访问路径为/admin/%20，按照正常逻辑返回响应，因此导致权限被绕过。 4.2 /./绕过分析 看到第二种姿势的/.和/./，是不是想起了某个熟悉方法？没错，就是normalize()。 简单翻译下就是： 条件示例正斜杠处理成反斜杠\ ->

/ A pair of backslashes are processed as backslashes / /-> / to /. Or /. At the end, add / / at the end. -> /. / /. -> /.. / normalized processing /. /. /-> / path hopping / aaa/../bbb-> / bbb

So / admin/. After being processed into / admin/./, it becomes / admin/.

After org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver#getChain processing, due to / at the end, if yes, the last / is deleted and becomes / admin. `/ admin does not match / admin/*, so shiro authentication is bypassed.

At this point, the request received by Spring is / admin/.. If full path matching is not enabled, in Spring. And / are used as path separators and do not participate in path matching. So it doesn't match the mapping and returns 404.

If full path matching is enabled, the entire url will be matched, so Spring returns 200.

Here is the code to enable full path matching:

@ SpringBootApplicationpublic class SpringbootShiroApplication extends SpringBootServletInitializer implements BeanPostProcessor {@ Overrideprotected SpringApplicationBuilder configure (SpringApplicationBuilder builder) {return builder.sources (SpringbootShiroApplication.class);} public static void main (String [] args) {SpringApplication.run (SpringbootShiroApplication.class, args);} @ Overridepublic Object postProcessBeforeInitialization (Object bean, String beanName) throws BeansException {if (bean instanceof RequestMappingHandlerMapping) {((RequestMappingHandlerMapping) bean) .setAlwaysUseFullPath (true);} return bean } @ Overridepublic Object postProcessAfterInitialization (Object bean, String beanName) throws BeansException {return bean;}} 0x05's official fix

After the above analysis, there are two reasons for shiro permission bypass:

The tokenizeToStringArray function does not handle spaces correctly.

The logic of dealing with the last / should not precede the logic of the loop matching the path.

Therefore, the official repair plan is:

Https://github.com/apache/shiro/commit/0842c27fa72d0da5de0c5723a66d402fe20903df

Set the trimTokens parameter of tokenizeToStringArray to false.

Adjust the logic of deleting the last /. Modify it to match the original path first, and then go to the logic of deleting the last / after the match fails.

0x06 about trim

In principle, trim () clears all whitespace before and after the string, and space is just one of them, but in the test, it is found that other whitespace except spaces, for example,% 09,% 0a whitespace will return 400.

Therefore, in addition to the spaces in the first pose, no other useful payload has been found.

On Apache Shiro certification bypass loophole CVE-2020-17523 how to analyze the question is shared here, I hope the above content can be of some help to you, if you still have a lot of doubts unsolved, you can follow the industry information channel to learn more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.