An arbitrary file reading vulnerability was discovered
Opened this issue · 0 comments
ErodedElk commented
I found an arbitrary file reading vulnerability in the vn_handle_get_connection function:
void vn_handle_get_connection(vn_http_connection_t *conn) {
........
/* Append default static resource path before HTTP request's uri */
memset(filepath, '\0', VN_MAX_HTTP_HEADER_VALUE);
if (strcat(filepath, VN_PARENT_DIR) == NULL) {
err_sys("[vn_handle_get_connection] strcat [VN_PARENT_DIR] error");
}
if (strcat(filepath, VN_DEFAULT_STATIC_RES_DIR) == NULL) {
err_sys("[vn_handle_get_connection] strcat [DEFAULT_STATIC_RES_DIR] error");
}
if (strncat(filepath, uri, strlen(uri)) == NULL) {
err_sys("[vn_handle_get_connection] strcat [uri] error");
}
......
if (vn_check_file_exist(filepath) < 0) {
vn_build_resp_404_body(body, uri);
vn_build_resp_headers(headers, 404, "Not Found", "text/html", strlen(body), VN_CONN_CLOSE);
// TODO: using vn_handle_write_event
rio_writen(conn->fd, (void *) headers, strlen(headers));
rio_writen(conn->fd, (void *) body, strlen(body));
vn_close_http_connection((void *) conn);
return;
}
if (vn_check_read_permission(filepath) < 0) {
vn_build_resp_403_body(body, uri);
vn_build_resp_headers(headers, 403, "Forbidden", "text/html", strlen(body), VN_CONN_CLOSE);
// TODO: using vn_handle_write_event
rio_writen(conn->fd, (void *) headers, strlen(headers));
rio_writen(conn->fd, (void *) body, strlen(body));
vn_close_http_connection((void *) conn);
return;
}
if ((srcfd = open(filepath, O_RDONLY, 0)) < 0) {
The key is the source of the variable filepath.
The program will stitch the string "../html" with the path obtained from the GET request, but if the packet is intercepted by a packet capture tool such as 'burpsuite', the request path is changed to something like "/../../../../../flag", the program will open "../html/../../../../../flag", obviously, if the file exists, then it will be able to read it. By blasting, etc., it will be possible to get all the files on the server that the binary program can access.