Post by habibkhan1 on Jan 9, 2024 4:47:07 GMT
Recently the news broke that some nginx servers are also vulnerable to the protocol " Nginx AliasTravel" , which was proposed at the Blackhat conference in 2018 and allows access to files and processes located outside of the root directory specified in directory aliases. The crux of the problem is that the files for the blocks with the alias are already provided by connecting the requested path, after matching it with the mask of the position guide and cutting the part of the path defined in this mask. The problem appears only in configurations with the "alias" directive, as in the Nginx configuration, there is a directive called 'mode' which can describe how access to the URL should be handled, and is often used to put the URL to the files on the server. In the design that uses this condition in conjunction with the alias, it is important when the two conditions of 'do not put a slash at the end of the URL specified by the condition' and 'put a slash at the end of the specified path. . by the alias' are met.alias ' are met. Harm is said to occur. At the BlackHat 2018 conference, Orange Tsai presented his research on breaking URL spammers.
Among other interesting findings, it shows the process discovered C Level Executive List in a 2016 HCTF CTF challenge, created by @iaklis. For the procedure to be valid, the following conditions must be met: The action position must not decrease further in its path; The alias must be within the context and must end with a further contraction. For the example of the vulnerability configuration shown above, the attacker can ask for the file "/img../test.txt" and this request will match the mask specified in the "/img" position, after which the rest queue "./test.txt" will be added to the alias directory "/var/images/" and as a result the file "/var/images/../test.txt" will be requested. Therefore, attackers can access any file in the "/var" directory, not only the files in "/var/images/", for example, to download the nginx log, you can send the request "/img .. /log/ nginx /access.log". Analysis from the repository on GitHub shows that the errors in the nginx configuration that lead to the problem are also present in real projects. For example, there is a problem in the Bitwarden password manager backup and you can use it to access all files in the / etc. / bitwarden directory (requests for / attachments uploaded from / etc. / bitwarden / attachments /), including the database stored there. including passwords "vault.db", authentication and accounts, for which it is enough to send requests "vault.db", "identity.pfx" , "api.log", etc.
We have mentioned that the weight this weakness can change significantly depending on the project, from a negligible effect to a significant one. Its effect is mainly determined by whether the displayed directory contains sensitive data that can facilitate further attacks or lead to disclosure of private information. As a starting point in our search for this vulnerability, we chose to explore popular GitHub repositories that reveal this issue. Identifying a specific vulnerability in environments with access to the source code becomes much more important, mainly due to two main factors: Detection - Using simple code analysis tools, such as regular expression searches, allows us to identify files The vulnerable Nginx configuration within these projects. Exploitation: Knowing the exact target directory that has been sanitized allows us to set up a local instance, check aliased processes using the local shell, and determine which files can be accessed through the vulnerability. It is worth mentioning that the method also works with the Google HPC Application, where the requests are directed to the direction of the need to receive the database with the private key and certificates, the attacker can send "secret_key" requests and "db .sqlite3". Finally, if you are interested in being able to know more about it, you can contact the details in the following link. The content of the article follows our guidelines of editing guidelines. To report an error click here. Full path to the article: Linux Addicts » General » Noticias » Nginx servers are also vulnerable to "Alias News in your email Get the latest Linux news in your email email name I accept legal conditions "You are doing wrong", or why should you come before you complain.
Among other interesting findings, it shows the process discovered C Level Executive List in a 2016 HCTF CTF challenge, created by @iaklis. For the procedure to be valid, the following conditions must be met: The action position must not decrease further in its path; The alias must be within the context and must end with a further contraction. For the example of the vulnerability configuration shown above, the attacker can ask for the file "/img../test.txt" and this request will match the mask specified in the "/img" position, after which the rest queue "./test.txt" will be added to the alias directory "/var/images/" and as a result the file "/var/images/../test.txt" will be requested. Therefore, attackers can access any file in the "/var" directory, not only the files in "/var/images/", for example, to download the nginx log, you can send the request "/img .. /log/ nginx /access.log". Analysis from the repository on GitHub shows that the errors in the nginx configuration that lead to the problem are also present in real projects. For example, there is a problem in the Bitwarden password manager backup and you can use it to access all files in the / etc. / bitwarden directory (requests for / attachments uploaded from / etc. / bitwarden / attachments /), including the database stored there. including passwords "vault.db", authentication and accounts, for which it is enough to send requests "vault.db", "identity.pfx" , "api.log", etc.
We have mentioned that the weight this weakness can change significantly depending on the project, from a negligible effect to a significant one. Its effect is mainly determined by whether the displayed directory contains sensitive data that can facilitate further attacks or lead to disclosure of private information. As a starting point in our search for this vulnerability, we chose to explore popular GitHub repositories that reveal this issue. Identifying a specific vulnerability in environments with access to the source code becomes much more important, mainly due to two main factors: Detection - Using simple code analysis tools, such as regular expression searches, allows us to identify files The vulnerable Nginx configuration within these projects. Exploitation: Knowing the exact target directory that has been sanitized allows us to set up a local instance, check aliased processes using the local shell, and determine which files can be accessed through the vulnerability. It is worth mentioning that the method also works with the Google HPC Application, where the requests are directed to the direction of the need to receive the database with the private key and certificates, the attacker can send "secret_key" requests and "db .sqlite3". Finally, if you are interested in being able to know more about it, you can contact the details in the following link. The content of the article follows our guidelines of editing guidelines. To report an error click here. Full path to the article: Linux Addicts » General » Noticias » Nginx servers are also vulnerable to "Alias News in your email Get the latest Linux news in your email email name I accept legal conditions "You are doing wrong", or why should you come before you complain.