Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-45614 PoC — Puma 安全漏洞

Source
https://github.com/ooooooo-q/puma_header_normalization-CVE-2024-45614
Associated Vulnerability
Title:Puma 安全漏洞 (CVE-2024-45614)
Description:Puma是美国Evan Phoenix个人开发者的一款针对高并发应用的Web服务器。 Puma 6.4.3之前版本存在安全漏洞,该漏洞源于客户端可以通过提供带下划线的同名标头来覆盖中间代理设置的值。
Description
Puma Header normalization CVE-2024-45614 確認
Readme
Puma Header normalization CVE-2024-45614 確認
===

- advisory: https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
- 修正コミット: https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043


### 結果

[request.rb](requests.rb)の実行結果

#### duplicate
| 対象 | 結果 | 
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 2.2.2.2 |

#### under_score
| 対象 | 結果 | 
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 1.1.1.1 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 1.1.1.1 |
| pitchfork_rack2 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 1.1.1.1 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |

#### reverse_under_score
| 対象 | 結果 | 
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 1.1.1.1 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 1.1.1.1 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack2 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |

#### upper_case
| 対象 | 結果 | 
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 2.2.2.2 |

#### reverse_upper_case
| 対象 | 結果 | 
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 2.2.2.2 |

### 各サーバ起動

#### Puma

```
# CVE-2024-45614修正前 Rack2
$ cd puma_before_fix_rack2 
$ RACK_ENV=production bundle exec puma -p 9000 ../config.ru

# CVE-2024-45614修正前 Rack3
$ cd puma_before_fix_rack3 
$ RACK_ENV=production bundle exec puma -p 9001 ../config.ru

# CVE-2024-45614修正後 Rack2
$ cd puma_after_fix_rack2
$ RACK_ENV=production bundle exec puma -p 9002 ../config.ru

# CVE-2024-45614修正後 Rack3
$ cd puma_after_fix_rack2 
$ RACK_ENV=production bundle exec puma -p 9003 ../config.ru
```

#### Pitchfork

```
# Rack2
$ cd pitchfork_rack2 
$ RACK_ENV=production bundle exec pitchfork -p 9010 ../config.ru

# Rack3
$ cd pitchfork_rack3 
$ RACK_ENV=production bundle exec pitchfork -p 9011 ../config.ru
```

#### Unicorn

```
# Rack2
$ cd unicorn_rack2 
$ RACK_ENV=production bundle exec unicorn -p 9020 ../config.ru

# Rack3
# * 調査時のバージョンではRack3の対応は完了していないが、サーバは動く
$ cd unicorn_rack3 
$ RACK_ENV=production bundle exec unicorn -p 9021 ../config.ru
```      

#### Thin

```
# Rack2
$ cd thin_rack2 
$ RACK_ENV=production bundle exec thin start -p 9030 -R ../config.ru

# Rack3
# * 調査のバージョンではRack3に未対応であり、bundle installができない
```    

#### Falcon

* 確認しやすくするためにHTTP1で起動

```
# Rack2
$ cd falcon_rack2 
$ RACK_ENV=production bundle exec rackup --server falcon -p 9040 ../config.ru
# * 動かせていない

# Rack3
$ cd falcon_rack3 
$ RACK_ENV=production bundle exec rackup --server falcon -p 9041 ../config.ru
```  

#### Nginx

```
$ docker run --name heade_test_nginx -v $(pwd)/nginx.conf:/etc/nginx/nginx.conf:ro -d -p 9100:80 -p 9101:81 nginx 
```
File Snapshot

 [4.0K]  /data/pocs/f881438bde2b3afa26b3757b25b6b5623494b473
├── [ 423]  config.ru
├── [4.0K]  falcon_rack2
│   ├── [ 121]  Gemfile
│   └── [1.8K]  Gemfile.lock
├── [4.0K]  falcon_rack3
│   ├── [ 143]  Gemfile
│   └── [1.9K]  Gemfile.lock
├── [ 420]  nginx.conf
├── [4.0K]  pitchfork_rack2
│   ├── [ 123]  Gemfile
│   └── [ 243]  Gemfile.lock
├── [4.0K]  pitchfork_rack3
│   ├── [ 123]  Gemfile
│   └── [ 243]  Gemfile.lock
├── [4.0K]  puma_after_fix_rack2
│   ├── [ 114]  Gemfile
│   └── [ 217]  Gemfile.lock
├── [4.0K]  puma_after_fix_rack3
│   ├── [ 114]  Gemfile
│   └── [ 217]  Gemfile.lock
├── [4.0K]  puma_before_fix_rack2
│   ├── [ 114]  Gemfile
│   └── [ 216]  Gemfile.lock
├── [4.0K]  puma_before_fix_rack3
│   ├── [ 114]  Gemfile
│   └── [ 216]  Gemfile.lock
├── [5.2K]  README.md
├── [1.6K]  requests.rb
├── [4.0K]  thin_rack2
│   ├── [ 127]  Gemfile
│   └── [ 326]  Gemfile.lock
├── [4.0K]  unicorn_rack2
│   ├── [ 118]  Gemfile
│   └── [ 269]  Gemfile.lock
└── [4.0K]  unicorn_rack3
    ├── [ 118]  Gemfile
    └── [ 269]  Gemfile.lock

11 directories, 26 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.