Affected of this project EpicGames/BlenderTools are vulnerable to Access Control Bypass via the server.fs.deny option. An attacker can gain access to sensitive files by requesting raw filesystem paths using case-augmented versions of filenames. This is only exploitable if the server is hosted on a case-insensitive filesystem, including those used by Windows. This bypass is similar to CVE-2023-34092 with surface area reduced to hosts having case-insensitive filesystems.
Details
Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. See picomatch usage, where nocase is defaulted to false:
_setInternalServer(_server: ViteDevServer) {
// Rebind internal the server variable so functions reference the user
// server instance after a restart
server = _server
},
_restartPromise: null,
_importGlobMap: new Map(),
_forceOptimizeOnRestart: false,
_pendingRequests: new Map(),
_fsDenyGlob: picomatch(config.server.fs.deny, { matchBase: true }),
PoCs By IAP ZeroDay:npm run dev -- --host 0.0.0.0
Created dummy secret files, e.g. custom.secret and production.pem
Users with exposed dev servers on environments with case-insensitive filesystems Files protected by server.fs.deny are both discoverable, and accessible
Update 👾 Describe The Sumarry:
Affected of this project
EpicGames/BlenderTools
are vulnerable to Access Control Bypass via the server.fs.deny option. An attacker can gain access to sensitive files by requesting raw filesystem paths using case-augmented versions of filenames. This is only exploitable if the server is hosted on a case-insensitive filesystem, including those used by Windows. This bypass is similar to CVE-2023-34092 with surface area reduced to hosts having case-insensitive filesystems.Details Since
picomatch
defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. Seepicomatch
usage, wherenocase
is defaulted tofalse
:PoCs By IAP ZeroDay:
npm run dev -- --host 0.0.0.0
Created dummy secret files, e.g.custom.secret
andproduction.pem
🥷 According CVeScores:
Users with exposed dev servers on environments with case-insensitive filesystems Files protected by
server.fs.deny
are both discoverable, and accessibleCVE-2024-23331 CWE-178 CWE-200 CWE-284
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N