iOS解压缩库ZipArchive路径穿越问题
2020-07-04 12:20:24 Author: bbs.pediy.com(查看原文) 阅读量:385 收藏

活跃值: 活跃值 (163)

能力值:

( LV3,RANK:30 )

在线值:

[原创]iOS解压缩库ZipArchive路径穿越问题

18小时前 185

[原创]iOS解压缩库ZipArchive路径穿越问题

盘古实验室公布的一个由目录穿越导致RCE的漏洞,称为ZipperDown。
由于现有的iOS App基本上采用SSZipArchive或Ziparchive来实现解压,因此漏洞是来自使用第三方Zip库解压Zip文件的过程中没有对Zip内文件名做校验导致的;例如 SSZipArchive解压时会把文件名直接拼接到目标路径后面,如果文件名中含有“../”则可以实现目录的上一级跳转,从而实现应用内任意目录的跳转,进一步可以实现文件覆盖。

(如果你想测试下这个漏洞,可去github下载一个不错的Demo:https://github.com/muzipiao/ZipperDown)

这件事之后Ziparchive修复了该漏洞。代码中增加了一个 - (NSString *)_sanitizedPath 方法用于专门处理压缩包内的文件名,清除其中有害部分。

Ziparchive库源码地址:https://github.com/ZipArchive/ZipArchive

SSZipArchive.m 的 _sanitizedPath 方法的源代码:

- (NSString *)_sanitizedPath
{
    // Change Windows paths to Unix paths: https://en.wikipedia.org/wiki/Path_(computing)
    // Possible improvement: only do this if the archive was created on a non-Unix system
    NSString *strPath = [self stringByReplacingOccurrencesOfString:@"\\" withString:@"/"];

    // Percent-encode file path (where path is defined by https://tools.ietf.org/html/rfc8089)
    // The key part is to allow characters "." and "/" and disallow "%".
    // CharacterSet.urlPathAllowed seems to do the job
#if (__MAC_OS_X_VERSION_MIN_REQUIRED >= 1090 || __IPHONE_OS_VERSION_MIN_REQUIRED >= 70000 || __WATCH_OS_VERSION_MIN_REQUIRED >= 20000 || __TV_OS_VERSION_MIN_REQUIRED >= 90000)
    strPath = [strPath stringByAddingPercentEncodingWithAllowedCharacters:NSCharacterSet.URLPathAllowedCharacterSet];
#else
    // Testing availability of @available (https://stackoverflow.com/a/46927445/1033581)
#if __clang_major__ < 9
    // Xcode 8-
    if (floor(NSFoundationVersionNumber) > NSFoundationVersionNumber10_8_4) {
#else
    // Xcode 9+
    if (@available(macOS 10.9, iOS 7.0, watchOS 2.0, tvOS 9.0, *)) {
#endif
        strPath = [strPath stringByAddingPercentEncodingWithAllowedCharacters:NSCharacterSet.URLPathAllowedCharacterSet];
    } else {
        strPath = [strPath stringByAddingPercentEscapesUsingEncoding:NSUTF8StringEncoding];
    }
#endif

    // `NSString.stringByAddingPercentEncodingWithAllowedCharacters:` may theorically fail: https://stackoverflow.com/questions/33558933/
    // But because we auto-detect encoding using `NSString.stringEncodingForData:encodingOptions:convertedString:usedLossyConversion:`,
    // we likely already prevent UTF-16, UTF-32 and invalid Unicode in the form of unpaired surrogate chars: https://stackoverflow.com/questions/53043876/
    // To be on the safe side, we will still perform a guard check.
    if (strPath == nil) {
        return nil;
    }

    // Add scheme "file:///" to support sanitation on names with a colon like "file:a/../../../usr/bin"
    strPath = [@"file:///" stringByAppendingString:strPath];

    // Sanitize path traversal characters to prevent directory backtracking. Ignoring these characters mimicks the default behavior of the Unarchiving tool on macOS.
    // "../../../../../../../../../../../tmp/test.txt" -> "tmp/test.txt"
    // "a/b/../c.txt" -> "a/c.txt"
    strPath = [NSURL URLWithString:strPath].standardizedURL.absoluteString;

    // Remove the "file:///" scheme
    strPath = [strPath substringFromIndex:8];

    // Remove the percent-encoding
#if (__MAC_OS_X_VERSION_MIN_REQUIRED >= 1090 || __IPHONE_OS_VERSION_MIN_REQUIRED >= 70000 || __WATCH_OS_VERSION_MIN_REQUIRED >= 20000 || __TV_OS_VERSION_MIN_REQUIRED >= 90000)
    strPath = strPath.stringByRemovingPercentEncoding;
#else
    // Testing availability of @available (https://stackoverflow.com/a/46927445/1033581)
#if __clang_major__ < 9
    // Xcode 8-
    if (floor(NSFoundationVersionNumber) > NSFoundationVersionNumber10_8_4) {
#else
    // Xcode 9+
    if (@available(macOS 10.9, iOS 7.0, watchOS 2.0, tvOS 9.0, *)) {
#endif
        strPath = strPath.stringByRemovingPercentEncoding;
    } else {
        strPath = [strPath stringByReplacingPercentEscapesUsingEncoding:NSUTF8StringEncoding];
    }
#endif

    return strPath;
}

这个方法清理了路径中的有害部分:

(1)把windows下的路径转成Unix下的路径,把路径中的"\\"替换成"/":
    NSString *strPath = [self stringByReplacingOccurrencesOfString:@"\\" withString:@"/"];
(2)路径中允许"." 和 "/" ,但不能有"%",对百分号做了处理:
strPath = [strPath stringByAddingPercentEncodingWithAllowedCharacters:NSCharacterSet.URLPathAllowedCharacterSet];

效果示例:
处理前:
http%3a%2f%2fwww.rfc-editor.org%2finfo%2frfc1738%3e
处理后:
http%253a%252f%252fwww.rfc-editor.org%252finfo%252frfc1738%253e
可以看到 "%" 被 "%25" 替换了

(3)添加 scheme 的 "file:///" 前缀, 以便转成NSURL时可以处理路径中的"../"从而获取绝对路径:
//为路径增加 "file:///" 前缀
strPath = [@"file:///" stringByAppendingString:strPath];

//路径转成NSURL,并使用 .standardizedURL.absoluteString 从而最终清理路径中的"../"获得最终的绝对路径
strPath = [NSURL URLWithString:strPath].standardizedURL.absoluteString;

// 删除 "file:///" 前缀
strPath = [strPath substringFromIndex:8];

效果示例:
原路径:test/../code.png
添加前缀后:file:///test/../code.png
NSURL处理后获得绝对路径:file:///code.png
删除前缀:code.png

(4)清除百分号编码
strPath = strPath.stringByRemovingPercentEncoding;

效果示例:
处理前:
http%253a%252f%252fwww.rfc-editor.org%252finfo%252frfc1738%253e
处理后:
http%3a%2f%2fwww.rfc-editor.org%2finfo%2frfc1738%3e
可以看到 "%25" 被 "%" 替换了。

经过以上几步的处理,最终得到可用的strPath

拓展:

从源码的调试中,也发现一个小问题:
当文件名包含"..\"时,文件名被读取时会被默认加入一个"\"转义符,并最终造成了路径穿越。这个路径穿越能力非常有限。

实践步骤如下:

1、原文件名是"..\code.png", test 是文件夹:

2、原文件路径是"test/..\code.png",被读取时转义为"test/..\\code.png":

3、在 _sanitizedPath 方法中把 "\\" 替换成了 "/",因此 "test/..\\code.png" 变成了 "test/../code.png":

4、为"test/../code.png"增加了"file:///"前缀:

5、接着又做绝对路径的处理,"file:///test/../code.png" 变成了 "file:///code.png",test文件夹没了!

6、删除"file:///"前缀,得到"code.png",最终 _sanitizedPath 方法返回值就是"code.png":

7、执行完解压后,app的Documents路径下, "..\code.png"文件穿越到了test文件夹外:

最后于 18小时前 被luoyanbei编辑 ,原因:


文章来源: https://bbs.pediy.com/thread-260474.htm
如有侵权请联系:admin#unsafe.sh