Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An arbitrary file reading vulnerability was discovered #10

Open
ErodedElk opened this issue Feb 5, 2023 · 0 comments
Open

An arbitrary file reading vulnerability was discovered #10

ErodedElk opened this issue Feb 5, 2023 · 0 comments

Comments

@ErodedElk
Copy link

I found an arbitrary file reading vulnerability in the vn_handle_get_connection function:

void vn_handle_get_connection(vn_http_connection_t *conn) {
    ........
    /* Append default static resource path before HTTP request's uri */
    memset(filepath, '\0', VN_MAX_HTTP_HEADER_VALUE);
    if (strcat(filepath, VN_PARENT_DIR) == NULL) {
        err_sys("[vn_handle_get_connection] strcat [VN_PARENT_DIR] error");
    }
    if (strcat(filepath, VN_DEFAULT_STATIC_RES_DIR) == NULL) {
        err_sys("[vn_handle_get_connection] strcat [DEFAULT_STATIC_RES_DIR] error");
    }
    if (strncat(filepath, uri, strlen(uri)) == NULL) {
        err_sys("[vn_handle_get_connection] strcat [uri] error");
    }

    ......
    if (vn_check_file_exist(filepath) < 0) {
        vn_build_resp_404_body(body, uri);
        vn_build_resp_headers(headers, 404, "Not Found", "text/html", strlen(body), VN_CONN_CLOSE);
        // TODO: using vn_handle_write_event
        rio_writen(conn->fd, (void *) headers, strlen(headers));
        rio_writen(conn->fd, (void *) body, strlen(body));
        vn_close_http_connection((void *) conn);
        return;
    } 
    
    if (vn_check_read_permission(filepath) < 0) {
        vn_build_resp_403_body(body, uri);
        vn_build_resp_headers(headers, 403, "Forbidden", "text/html", strlen(body), VN_CONN_CLOSE);
        // TODO: using vn_handle_write_event
        rio_writen(conn->fd, (void *) headers, strlen(headers));
        rio_writen(conn->fd, (void *) body, strlen(body));
        vn_close_http_connection((void *) conn);
        return;
    }

    if ((srcfd = open(filepath, O_RDONLY, 0)) < 0) {

The key is the source of the variable filepath.
The program will stitch the string "../html" with the path obtained from the GET request, but if the packet is intercepted by a packet capture tool such as 'burpsuite', the request path is changed to something like "/../../../../../flag", the program will open "../html/../../../../../flag", obviously, if the file exists, then it will be able to read it. By blasting, etc., it will be possible to get all the files on the server that the binary program can access.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ErodedElk