Update and Fixed BlenderTools dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

[lamrecognitions]

Update 👾 Describe The Sumarry:

Affected of this project EpicGames/BlenderTools are vulnerable to Access Control Bypass via the server.fs.deny option. An attacker can gain access to sensitive files by requesting raw filesystem paths using case-augmented versions of filenames. This is only exploitable if the server is hosted on a case-insensitive filesystem, including those used by Windows. This bypass is similar to CVE-2023-34092 with surface area reduced to hosts having case-insensitive filesystems.

Details Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. See picomatch usage, where nocase is defaulted to false:

 _setInternalServer(_server: ViteDevServer) {
      // Rebind internal the server variable so functions reference the user
      // server instance after a restart
      server = _server
    },
    _restartPromise: null,
    _importGlobMap: new Map(),
    _forceOptimizeOnRestart: false,
    _pendingRequests: new Map(),
    _fsDenyGlob: picomatch(config.server.fs.deny, { matchBase: true }),

PoCs By IAP ZeroDay: npm run dev -- --host 0.0.0.0 Created dummy secret files, e.g. custom.secret and production.pem

export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }

🥷 According CVeScores:

Users with exposed dev servers on environments with case-insensitive filesystems Files protected by server.fs.deny are both discoverable, and accessible

CVE-2024-23331 CWE-178 CWE-200 CWE-284 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N