CVE-2022-40308

影响范围

Apache Archiva < 2.2.9

环境搭建

https://archive.apache.org/dist/archiva/2.2.8/binaries/apache-archiva-2.2.8-bin.zip

https://codeload.github.com/apache/archiva/zip/refs/tags/archiva-2.2.8

./bin/archiva console或.\bin\archiva.bat console

可以提前在conf/wrapper.conf添加如下配置，方便IDEA远程调试

wrapper.java.additional.9=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005

首次运行需要添加Admin用户，注意需要勾选Validated复选框：

http://127.0.0.1:8080/#open-admin-create-box

漏洞复现

前置条件是启用匿名读取或者使用拥有archiva-read-repository权限的用户

前置条件是启用匿名读取或者使用拥有archiva-read-repository权限的用户，在如下界面点击下载然后抓包

修改URL为/repository/internal/..//../data/data-bases/users/log/log1.dat，这将会读取Archiva根目录下的data/databases/users/log/log1.dat文件，该文件会记录系统用户账号及加密后的密码

漏洞分析

由web.xml

<servlet-mapping>  <servlet-name>RepositoryServlet</servlet-name>  <url-pattern>/repository/*</url-pattern></servlet-mapping>

入口在RepositoryServlet，而且POC/repositor-y/internal/..///../data/databases/users/log/log1.dat中的..///..必须是两个及以上数量的/

如果URL为/repository/internal/../../data/data-bases/users/log/log1.dat,则Jetty会认为请求的是/data/databases/users/log/log1.dat而非/repo-sitory/*

org.apache.archiva.webdav.RepositoryServlet#service

protected void service( HttpServletRequest request, HttpServletResponse response )    throws ServletException, IOException{    WebdavRequest webdavRequest = new WebdavRequestImpl( request, getLocatorFactory() );    // DeltaV requires 'Cache-Control' header for all methods except 'VERSION-CONTROL' and 'REPORT'.    int methodCode = DavMethods.getMethodCode( request.getMethod() );    boolean noCache = DavMethods.isDeltaVMethod( webdavRequest ) && !( DavMethods.DAV_VERSION_CONTROL == methodCode        || DavMethods.DAV_REPORT == methodCode );    WebdavResponse webdavResponse = new WebdavResponseImpl( response, noCache );    DavResource resource = null;    try    {        // make sure there is a authenticated user        if ( !getDavSessionProvider().attachSession( webdavRequest ) )        {            return;        }        // check matching if=header for lock-token relevant operations        resource =            getResourceFactory().createResource( webdavRequest.getRequestLocator(), webdavRequest, webdavResponse );        if ( !isPreconditionValid( webdavRequest, resource ) )        {            webdavResponse.sendError( DavServletResponse.SC_PRECONDITION_FAILED );            return;        }        if ( !execute( webdavRequest, webdavResponse, methodCode, resource ) )        {            super.service( request, response );        }    }...}

跟入getResourceFactory().createResource

org.apache.archiva.webdav.ArchivaDavResourceFactory#createResource(org.apache.jackrabbit.webdav.DavResourceLocator, org.apache.jackrabbit.webdav.DavServletRequest, org.apache.jackrabbit.webdav.DavServletResponse)

鉴权在processRepository(...)中，过了鉴权后发现其实问题也是由于未验证文件名，这里将包含目录穿越的路径直接拼接到new File()参数中

漏洞修复

这是当时给官方提交漏洞后，官方回复的修复方式，和目前最新版的代码好像不太一样

https://github.com/apache/archiva/commit/4a2d43be63634331668d71590034963e96a8886a#diff7828cc4ef12a5f453debc98ef5c3eaf85c6851b271ee298a75b4bd6ea001846cR605

当时的修复方式和CVE-2022-40309的修复差不多

参考

https://lists.apache.org/thread/1odl4p85r96n27k577jk6ftrp19xfc27

https://lists.apache.org/thread/x01pnn0jjsw512cscxsbxzrjmz64n4cc