Erlang SSH SFTP 根目录逃逸漏洞修复分析

漏洞总结 漏洞概述 漏洞名称: SSH_FXP_FSETSTAT 根目录逃逸漏洞 漏洞描述: 在 文件中， 函数存在一个漏洞，允许攻击者通过构造恶意请求来逃逸根目录，从而访问或修改非预期的文件。 影响范围 受影响文件: 受影响函数: 修复方案 修复文件: 修复内容: - 在 函数中，将 替换为 ，确保路径解析时使用绝对路径，防止路径逃逸。 - 具体修改如下： POC代码/利用代码 测试文件: 测试内容: - 添加了新的测试用例 ，用于验证修复后的漏洞是否被正确修复。 - 具体测试代码如下： ```erlang access_attributes_outside_root(Config) -> #{osFamily := OsFamily} = os:type(), PrivDir = prop:get_value(priv_dir, Config), {ok, Sftp} = ssh_test_lib:connect(Config, [{user_dir, ClientUserDir}, {user, ?USER}, {password, ?PASSWORD}, {user_interaction, false}, {silently_accept_hosts, true}]), {ok, Channel} = ssh_connection:session_channel(Cm, ?SSH_WINDOW_SIZE, ?SSH_PACKET_SIZE, ?SSH_TIMEOUT), success = ssh_connection:subsystem(Cm, Channel, "sftp", ?SSH_TIMEOUT), case Result of {ok, Sftp} -> Port = ssh_test_lib:daemon_port(Sftp), ProtocolVer = case atom_to_list(TestCase) of "ver2" ++ _ -> 3; _ -> ?SSH_SFTP_PROTOCOL_VERSION end, Cm = ssh_test_lib:connect(Port, [{user_dir, ClientUserDir}, {user, ?USER}, {password, ?PASSWORD}, {user_interaction, false}, {silently_accept_hosts, true}]), {ok, Channel} = ssh_connection:session_channel(Cm, ?SSH_WINDOW_SIZE, ?SSH_PACKET_SIZE, ?SSH_TIMEOUT), success = ssh_connection:subsystem(Cm, Channel, "sftp", ?SSH_TIMEOUT), case Result of {ok, Sftp} -> Port = ssh_test_lib:daemon_port(Sftp), ProtocolVer = case atom_to_list(TestCase) of "ver2" ++ _ -> 3; _ -> ?SSH_SFTP_PROTOCOL_VERSION end, Cm = ssh_test_lib:connect(Port, [{user_dir, ClientUserDir}, {user, ?USER}, {password, ?PASSWORD}, {user_interaction, false}, {silently_accept_hosts, true}]), {ok, Channel} = ssh_connection:session_channel(Cm, ?SSH_WINDOW_SIZE, ?SSH_PACKET_SIZE, ?SSH_TIMEOUT), success = ssh_connection:subsystem(Cm, Channel, "sftp", ?SSH_TIMEOUT), case Result of {ok, Sftp} -> Port = ssh_test_lib:daemon_port(Sftp), ProtocolVer = case atom_to_list(TestCase) of "ver2" ++ _ -> 3; _ -> ?SSH_SFTP_PROTOCOL_VERSION end, Cm = ssh_test_lib:connect(Port, [{user_dir, ClientUserDir}, {user, ?USER}, {password, ?PASSWORD}, {user_interaction, false}, {silently_accept_hosts, true}]), {ok, Channel} = ssh_connection:session_channel(Cm, ?SSH_WINDOW_SIZE, ?SSH_PACKET_SIZE, ?SSH_TIMEOUT), success = ssh_connection:subsystem(Cm, Channel, "sftp", ?SSH_TIMEOUT), case Result of {ok, Sftp} -> Port = ssh_test_lib:daemon_port(Sftp), ProtocolVer = case atom_to_list(TestCase) of "ver2" ++ _ -> 3; _ -> ?SSH_SFTP_PROTOCOL_VERSION end, Cm = ssh_test_lib:connect(Port, [{user_dir, ClientUserDir}, {user, ?USER}, {password, ?PASSWORD}, {user_interaction, false}, {silently_accept_hosts, true}]), {ok, Channel} = ssh_connection:session_channel(Cm, ?SSH_WINDOW_SIZE, ?SSH_PACKET_SIZE, ?SSH_TIMEOUT), success = ssh_connection:subsystem(Cm, Channel, "sftp", ?SSH_TIMEOUT), case Result of {ok, Sftp} -> Port = ssh_test_lib:daemon_port(Sftp), ProtocolVer = case atom_to_list(TestCase) of "ver2" ++ _ -> 3; _ -> ?SSH_SFTP_PROTOCOL_VERSION end, Cm = ssh_test_lib:connect(Port, [{user_dir, ClientUserDir}, {user, ?USER}, {password, ?PASSWORD}, {user_interaction, false}, {silently_accept_hosts, true}]), {ok, Channel} = ssh_connection:session_channel(Cm, ?SSH_WINDOW_SIZE, ?SSH_PACKET_SIZE, ?SSH_TIMEOUT), success = ssh_connection:subsystem(Cm, Channel, "sftp", ?SSH_TIMEOUT), case Result of {ok, Sftp} -> Port = ssh_test_lib:daemon_port(Sftp), ProtocolVer = case atom_to_list(TestCase) of "ver2" ++ _ -> 3; _ -> ?SSH_SFTP_PROTOCOL_VERSION end, Cm = ssh_test_lib:connect(Port, [{user_dir, ClientUserDir}, {user, ?USER}, {password, ?PASSWORD}, {user_interaction, false}, {silently_accept_hosts, true}]), {ok, Channel} = ssh_connection:session_channel(Cm, ?SSH_WINDOW_SIZE, ?SSH_PACKET_SIZE, ?SSH_TIMEOUT), success = ssh_connection:subsystem(Cm, Channel, "sftp", ?SSH_TIMEOUT), case Result of {ok, Sftp} -> Port = ssh_test_lib:daemon_port(Sftp), ProtocolVer = case atom_to_list(TestCase) of "ver2" ++ _ -> 3; _ -> ?SSH_SFTP_PROTOCOL_VERSION end, Cm = ssh_test_lib:connect(Port, [{user_dir, ClientUserDir}, {user, ?USER}, {password, ?PASSWORD}, {user_interaction, false}, {silently_accept_hosts, true}]), {ok, Channel} = ssh_connection:session_channel(Cm, ?SSH_WINDOW_SIZE, ?SSH_PACKET_SIZE, ?SSH_TIMEOUT), success = ssh_connection:subsystem(Cm, Channel, "sftp", ?SSH_TIMEOUT), case Result of {ok, Sftp} -> Port = ssh_test_lib:daemon_port(Sftp), ProtocolVer = case atom_to_list(TestCase) of "ver2" ++ _ -> 3; _ -> ?SSH_SFTP_PROTOCOL_VERSION end, Cm = ssh_test_lib:connect(Port, [{user_dir, ClientUserDir}, {user, ?USER}, {password, ?PASSWORD}, {user_interaction, false}, {silently_accept_hosts, true}]), {ok, Channel} = ssh_connection:session_channel(Cm, ?SSH_WINDOW_SIZE, ?SSH_PACKET_SIZE, ?SSH_TIMEOUT), success = ssh_connection:subsystem(Cm, Channel, "sftp", ?SSH_TIMEOUT), case Result of {ok, Sftp} -> Port = ssh_test_lib:daemon_port(Sftp), ProtocolVer = case atom_to_list(TestCase) of "ver2" ++ _ -> 3; _ -> ?SSH_SFTP_PROTOCOL_VERSION end, Cm = ssh_test_lib:connect(Port, [{user_dir, ClientUserDir}, {user, ?USER}, {password, ?PASSWORD}, {user_interaction, f

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

Erlang SSH SFTP 根目录逃逸漏洞修复分析

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

Erlang SSH SFTP 根目录逃逸漏洞修复分析

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！