CVE-2023-34865: There is a remote code execution (RCE) vulnerability exists in ujcms v6.0.2 · Issue #5 · ujcms/ujcms

[Vulnerability description]
The Remote Code Execution (RCE) vulnerability exists in ujcms v6.0.2, when the project is partially configured on Linux using Tomcat, attackers can use path traversal and arbitrary file uploads to execute arbitrary code.

[Vulnerability Type]
Remote Code Execution (RCE)

[Vendor of Product]
https://gitee.com/ujcms/ujcms
https://github.com/ujcms/ujcms
https://www.ujcms.com/

[Affected Product Code Base]
v6.0.2

[Vulnerability proof]
The code restricts the access and execution of jsp and jspx files, but it exists in any path and any file upload, so you can upload a web.xml file and add a jsp resolvable suffix, such as abc

<servlet-mapping>
    <servlet-name>jsp</servlet-name>
    <url-pattern>*.abc</url-pattern>
</servlet-mapping>

Condition: It needs to be deployed with tomcat on Linux, and the configuration file cannot be overwritten on Windows, and File.renameTo is used

1. Upload web.xml
   Download an initial configuration file web.xml of tomcat, and add the above configuration in the following location

   Upload the web.xml file to the uploads directory first, and use the path id to indicate it when uploading, and the path cannot be traversed

   Rename, the capture package can traverse the path at the file name, and overwrite the original web.xml

2. Upload the Trojan horse
   Upload a Trojan horse and execute the ping command. At this time, the uploaded suffix cannot be the custom analytical suffix above. You can upload any suffix and rename it later, otherwise the upload will not succeed

   The upload suffix is ​​abc1

   Renamed to …/…/123.abc, the path traverses to the root directory

   Visit 123.abc and successfully trigger rce

[Code Details]

1. Upload
   Track the rename interface, find that the parameters are being passed to doUpload, and verify the suffix at the upload
   com.ujcms.cms.core.web.backendapi.AbstractUploadController#doUpload

   The suffix can be uploaded without any problem.

2. Rename
   com.ujcms.cms.core.web.backendapi.AbstractWebFileController#rename is the same as upload, it has checkName to verify the file name, enter here to view the code

   com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String) Check the file name, when both meet
   (1) The file name is empty
   (2) The file name contains illegal characters
   an exception is thrown, but the first condition is always false, and the conditions cannot be met at the same time, so this verification will always be bypassed, so it can be executed, and then any file can be renamed and uploaded.

   So there is a problem with the judgment logic here, it should be || instead of &&, which leads to the failure of the security check in this place. Of course, this is also the reason why it can be used successfully.
   After passing the verification of this block, use File.renameTo in com.ujcms.util.file.LocalFileHandler#rename to rename the file.

   renameTo cannot overwrite files in Windows, but can overwrite and create directories in Linux, so this vulnerability can only be exploited in Linux.