最近,一则新发布的公告报告了一个影响Jira 5.0.11和6.0.3版本的目录遍历漏洞,该漏洞在去年7月份被验证,并在接下来的几个月得以修复。
攻击方法很简单,但是潜在影响却是非常大的,该漏洞可能允许攻击者上传文件作为webshell。后文我会解决该漏洞如何通过静态分析发现,以及什么一个小细节使其只能在Windows系统上被利用。
漏洞识别
以下代码源自插件IssuesCollector,该插件使用REST api,支持上传屏幕截图文件作为附件附加到说明中。
com/atlassian/jira/collector/plugin/rest/TemporaryAttachmentsResource.java [...] @POST @Path("multipart/{collectorId}") @Consumes({"multipart/form-data"}) @Produces({"text/html"}) public Response attachTemporaryFileViaForm(@PathParam("collectorId") String collectorId, @MultipartFormParam("screenshot") Collection<filepart> fileParts) { ServiceOutcome outcome = this.collectorService.getCollector(collectorId); [...] FilePart filePart = (FilePart)fileParts.iterator().next(); try { [...] TemporaryAttachment temporaryAttachment = createTemporaryAttachment(filePart.getName(), filePart.getContentType(), filePart.getInputStream()); temporaryAttachmentsMonitor.add(temporaryAttachment); context.put("temporaryAttachment", temporaryAttachment); return Response.ok(renderTemplate("templates/rest/tempfilejson.vm", context)).cacheControl(com.atlassian.jira.rest.v1.util.CacheControl.NO_CACHE).build(); } catch (IOException e) { } return Response.serverError().cacheControl(com.atlassian.jira.rest.v1.util.CacheControl.NO_CACHE).build(); } private TemporaryAttachment createTemporaryAttachment(String fileName, String contentType, InputStream inputStream) { File tmpDir = AttachmentUtils.getTemporaryAttachmentDirectory(); long uniqueId; File tempAttachmentFile; do { uniqueId = getUUID(); tempAttachmentFile = new File(tmpDir, uniqueId + "_" + fileName); } while (tempAttachmentFile.exists()); FileOutputStream output = null; try { output = new FileOutputStream(tempAttachmentFile); IOUtils.copy(inputStream, output); output.close(); } catch (IOException e) { IOUtils.closeQuietly(output); log.error("Error creating temporary attachment", e); return null; } return new TemporaryAttachment(Long.valueOf(uniqueId), Long.valueOf(-1L), tempAttachmentFile, fileName, contentType); } |