search

liftoff / GateOne

Gate One is an HTML5-powered terminal emulator and SSH client
http://liftoffsoftware.com/Products/GateOne
Other
6.26k stars 925 forks source link

An Arbitrary File Download Vulnerability #747

Open wxdx110 opened 3 years ago

wxdx110 commented 3 years ago

Gateone has a vulnerability that allows arbitrary file download without authentication, which can traverse the directory and read arbitrary files on the target system.

Code auditing

View the file gateone/core/server.py In line 3692, you can find the place to set the handlers,

1

You can see that downloads/ did not use the StaticFileHandler that comes with Tornado, but the method written by the author himself, which may have vulnerabilities.

You can find the definition of the get method on line 924:

def get(self, path, include_body=True):
    session_dir = self.settings['session_dir']
    user = self.current_user
    if user and 'session' in user:
        session = user['session']
    else:
        logger.error(_("DownloadHandler: Could not determine use session"))
        return # Something is wrong
    filepath = os.path.join(session_dir, session, 'downloads', path)
    abspath = os.path.abspath(filepath)
    if not os.path.exists(abspath):
        self.set_status(404)
        self.write(self.get_error_html(404))
        return
    if not os.path.isfile(abspath):
        raise tornado.web.HTTPError(403, "%s is not a file", path)

Pay attention to the key part. You can see that the path is spelled into filepath without any filtering. There is directory traversal, and any file can be read.

2

Recurrence of vulnerability

Use the official docker image to build the test environment.

  1. Pull image docker pull liftoff/gateone

  2. Run image

    #Command
docker run [-d/-t] -p [443]:8000 -h [hostname] --name gateone liftoff/gateone gateone
#For example, if 443 is occupied on the server, please use another unused port.
docker run -t -p 443:48620 -h Rats --name gateone liftoff/gateone gateone

After installation, visit https://ip:port. Just ignore it if the browser may report that it is not safe.

3

Packet capture in the process of browsing, and you can successfully read the file /etc/passwd by visiting https://192.168.150.128:48620/downloads/../../../../etc/passwd .

4

abergmann commented 3 years ago

CVE-2020-35736 was assigned to this issue.

OS-WS commented 3 years ago

Hi is there any fix for this CVE ?