近,一则新发布的公告报告了一个影响Jira 5.0.11和6.0.3版本的目录遍历漏洞,该漏洞在去年7月份被验证,并在接下来的几个月得以修复。
  攻击方法很简单,但是潜在影响却是非常大的,该漏洞可能允许攻击者上传文件作为webshell。后文我会解决该漏洞如何通过静态分析发现,以及什么一个小细节使其只能在Windows系统上被利用。
  漏洞识别
  以下代码源自插件IssuesCollector,该插件使用REST api,支持上传屏幕截图文件作为附件附加到说明中。
com/atlassian/jira/collector/plugin/rest/TemporaryAttachmentsResource.java
[...]
@POST
@Path("multipart/{collectorId}")
@Consumes({"multipart/form-data"})
@Produces({"text/html"})
public
Response attachTemporaryFileViaForm(@PathParam("collectorId")
String collectorId, @MultipartFormParam("screenshot")
Collection<filepart> fileParts) { ServiceOutcome outcome =
this.collectorService.getCollector(collectorId);
[...]
FilePart
filePart = (FilePart)fileParts.iterator().next();
try
{
[...]
TemporaryAttachment
temporaryAttachment = createTemporaryAttachment(filePart.getName(),
filePart.getContentType(), filePart.getInputStream());
temporaryAttachmentsMonitor.add(temporaryAttachment);
context.put("temporaryAttachment",
temporaryAttachment);
return
Response.ok(renderTemplate("templates/rest/tempfilejson.vm",
context)).cacheControl(com.atlassian.jira.rest.v1.util.CacheControl.NO_CACHE).build();
}
catch
(IOException e) {
}
return
Response.serverError().cacheControl(com.atlassian.jira.rest.v1.util.CacheControl.NO_CACHE).build();
}
private
TemporaryAttachment createTemporaryAttachment(String fileName, String
contentType, InputStream inputStream)
{
File
tmpDir = AttachmentUtils.getTemporaryAttachmentDirectory();
long
uniqueId;
File
tempAttachmentFile;
do
{
uniqueId
= getUUID();
tempAttachmentFile
= new File(tmpDir, uniqueId + "_" + fileName);
}
while
(tempAttachmentFile.exists());
FileOutputStream
output = null;
try
{
output
= new FileOutputStream(tempAttachmentFile);
IOUtils.copy(inputStream,
output);
output.close();
}
catch
(IOException e)
{
IOUtils.closeQuietly(output);
log.error("Error
creating temporary attachment", e);
return
null;
}
return
new TemporaryAttachment(Long.valueOf(uniqueId), Long.valueOf(-1L),
tempAttachmentFile, fileName, contentType);
}