You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
CodeChecker has a Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`
Moderate severity
GitHub Reviewed
Published
Jun 24, 2024
in
Ericsson/codechecker
•
Updated Jun 26, 2024
ZIP files uploaded to the server-side endpoint handling a CodeChecker store are not properly sanitized. An attacker can exercise a path traversal to make the CodeChecker server load and display files from an arbitrary location on the server machine.
Details
Target
The vulnerable endpoint is /<PRODUCT_URL>/v6.53/CodeCheckerService@massStoreRun.
Exploit overview
The attack is made possible by improper sanitization at one point in the process.
When the ZIP file is uploaded by CodeChecker store, it is first unzipped to a temporary directory (safely).
When deciding which files to insert into CodeChecker's internal database, the decision is made based on the content_hashes.json in the ZIP. An attacker has control over the contents of this file.
Providing sufficiently many ../../s inside the content_hashes.json, an attacker can control the insertion of completely arbitrary files into CodeChecker's internal database.
Once the file is inserted into the internal database, it can be displayed trivially on the Web interface.
As CodeChecker doesn't distinguish between filenames after the ZIP is extraced, an attacker can define aliases in content_hashes.json.
mass_store_run.py:444 __store_source_files() - Storing source file: /home/discookie/.codechecker/tmpx7hg1teb/root/etc/passwd
mass_store_run.py:453 __store_source_files() - /etc/passwd not found or already stored.
The file is displayed in the Web UI if and only if there is at least one bug report in it.
The bug reports are coming from the ZIP and the attacker can craft the required contents for this.
If done so, the logs confirm the requirement for presenting the results of the exploit will be triggered:
The server emits the contents of the injected files from the server's database to all users:
Note
The file is shown with the contents as it was on the system when the exploited CodeChecker store was exercised. This attack does not allow the server to return the "live" contents of a file on the server's storage — the attacker(s) must recurringly exercise the exploit to keep the injected files "updated" in the database.
PoC
The minimal example that can trigger the exploit can be downloaded: PoC.zip.
The key to the exploit is the content_hashes.json file. The additional files create a report in the loaded /etc/passwd file, so it is displayed in the web UI.
The communication between the CodeChecker store and the server is done by transmitting the ZIP file in a Base64-encoded string.
Encoding the ZIP into the format of the API can be done with Python:
The path traversal vulnerability allows reading data on the machine of the CodeChecker server, with the same permission level as the CodeChecker server process. This allows for the exfiltration from the server-side storage medium.
If the CodeChecker server is run with authentication enabled (not the default configuration), then the attack requires a valid user account on the CodeChecker server, with the permission to store to a database, and view the stored reports.
Summary
ZIP files uploaded to the server-side endpoint handling a
CodeChecker store
are not properly sanitized. An attacker can exercise a path traversal to make theCodeChecker server
load and display files from an arbitrary location on the server machine.Details
Target
The vulnerable endpoint is
/<PRODUCT_URL>/v6.53/CodeCheckerService@massStoreRun
.Exploit overview
The attack is made possible by improper sanitization at one point in the process.
CodeChecker store
, it is first unzipped to a temporary directory (safely).content_hashes.json
in the ZIP. An attacker has control over the contents of this file.https://github.com/Ericsson/codechecker/blob/fa41e4e5d9566b5a4f5a80a27bddec73a5146f5a/web/server/codechecker_server/api/mass_store_run.py#L442-L444
../../
s inside thecontent_hashes.json
, an attacker can control the insertion of completely arbitrary files into CodeChecker's internal database.As CodeChecker doesn't distinguish between filenames after the ZIP is extraced, an attacker can define aliases in
content_hashes.json
.The bug reports are coming from the ZIP and the attacker can craft the required contents for this.
If done so, the logs confirm the requirement for presenting the results of the exploit will be triggered:
Note
The file is shown with the contents as it was on the system when the exploited
CodeChecker store
was exercised. This attack does not allow the server to return the "live" contents of a file on the server's storage — the attacker(s) must recurringly exercise the exploit to keep the injected files "updated" in the database.PoC
The minimal example that can trigger the exploit can be downloaded:
PoC.zip
.The key to the exploit is the
content_hashes.json
file. The additional files create a report in the loaded/etc/passwd
file, so it is displayed in the web UI./content_hashes.json
Uploading the ZIP to the server
The communication between the
CodeChecker store
and the server is done by transmitting the ZIP file in a Base64-encoded string.Encoding the ZIP into the format of the API can be done with Python:
The result of the compression and encoding can be sent to the running server over the API.
When the API is called, the exploit is exercised.
One-line PoC
curl "http://localhost:8001/Default/v6.53/CodeCheckerService" \ --data \ '[1,"massStoreRun",1,0,{"1":{"str":"poc"},"3":{"str":"6.22.1"},"4" {"str":"eJzNVk9vIzUUT3cpS4MqIcEB2Msw6oGV2vmXzKRZZVPYdpGqLSXSdrXqVquRM+NJhk7GI9tpN5Qe0SJx4MARCfEB+AaIE2glrnAAwY0DXwAQ4gT2ZCbj+ZNI2ROTWLaff+/5+edn+/XuXn2uXuOfi48frP7zh49Ym5eXWXFQSGFI7SEgQ0iU9wkKL2RVUZb4Q+qoESDk3JVvSvIIBB7CI+jGJuVNSV4MuOwx/16J/fvQP35QE74XWMEwQpgSNUMhnEfdEFCg5WoeMFxLc7Vtz2u0XVNvt0yrrbcA8JqN2MyUjK+YGeutk78fXqnVeLGWMTOCFLiAgilf63WJffIZxMRHIVujsZmIKEIBYYKTaZ9/F1kzhoRgBDktDnKhM4TOKcTyZgEDHMoM2+F4xJCN4qiDRiMQcm5PHhXHMp9kSzEMRZfe3Aag3296Ld2Ebrule6bnsbXp/WZjGxrA0TRNt6DeNG+U3DhH+NQPB7brY+hQhCfcrFqCoTGNxtSOAB1WAzAk44DaBI2xA23PDyDnqEBMjCRgFAVQiQKf0NiWEEp5+GWJsxAEkw/Y8rnp0ig59aMIcs604hD1R5BQNvE8p/pw4HNGdau9bTTaTaOpaJap66axWYGG8c4IWNPSrEazWXA/6ybNR+v1yyxa77Fo/WtlfPuja7UaL+Yy0Sqy2Nl5PAqkJCxuybqiyRIMWfCxjb0l3z96Z2tb3unWO2/svbd7dNy7I8VaUu/+7YP9XUneUtW3I2ZMVfeO9qTewf69I4nZUNU7h7IkDymNbqrq+fm5AjhKYaHJgez4YhRBTCcHzNgWU1Bc6spsmqn1nDtM6voO7dbXOqdw0nV9MAgRob5DOioXMDnAGPDGWopcm2IdQOGAxWUKZGJCMVtZ9wANfEeCGCPcURNZpsaPnc0PYlnRQRgqe/6Z78KHEKOysguJg/2IH9Cydo+dAYliwBcIgrKyT8gYxvegnV7EyLMDP4S2H05Fj2nZbMNtsE3vW6ahGc0WBF5ba+ltYDbclq41oFGeKECMm7yLM+oSElCQDa51fDb1AOKuzoyl7QzMz2wVWqsC8+VUgQuWO2p+M/n9Ibg72/Oc6+keRCJ2gUNTPLvF3Bw8oQuesR3IkTeXvrwXVRQuIrGaxkV+V1I5n8wcnYkyu9YIGMCqhS+I00QZg3AASU5X2JFiL0/OHHpEgsrrnUfRQpLm0bSIqAJVy/ve/P/43lHFbcj1xOOVyWfSTDZzveq+TQJDeIeFYCnYSJOkmZnUgXg0fZ9nay3c5XOu44DFIQFihGYLi/UGMISYvQOu3Z8sZ3uXZWC70wysfIEmT1RZa5pWVTqUNrI6fu669d7dlSs7tXlJ+UaS2EpJXZGi15PBldqrtU++6LQOr/2ycvr0z095/evn13/cY/V0knmZdTrJS6x8KSQTouWfn7weW/qe/Pvtu6xO+6LlcjYuWn66TJoiTj0xvV2+mB9+I8eHpannZfAic+srz5rPi358Ix98zOdP69c2rpf8KOdmoh9fX33GTE104+LJ7xt8+rT+7qeUjtXnOWaV/fYZBZ+9yHv/Ac5gmHc="},"5":{"tf":0}}]'
Full server logs for the store processing
Impact
The path traversal vulnerability allows reading data on the machine of the
CodeChecker server
, with the same permission level as theCodeChecker server
process. This allows for the exfiltration from the server-side storage medium.If the
CodeChecker server
is run with authentication enabled (not the default configuration), then the attack requires a valid user account on theCodeChecker server
, with the permission to store to a database, and view the stored reports.CVSS 3.1 Base Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Reproducible up to version
6.22.1
.References