Update and Fixed BlenderTools dev server option server.fs.deny can be bypassed when hosted on case-insensitive filesystem
#720
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…be bypassed when hosted on case-insensitive filesystem ## Update 👾 Describe The Sumarry: Affected of this project `EpicGames/BlenderTools` are vulnerable to Access Control Bypass via the server.fs.deny option. An attacker can gain access to sensitive files by requesting raw filesystem paths using case-augmented versions of filenames. This is only exploitable if the server is hosted on a case-insensitive filesystem, including those used by Windows. This bypass is similar to CVE-2023-34092 with surface area reduced to hosts having case-insensitive filesystems. **Details** Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. See `picomatch` usage, where `nocase` is defaulted to `false`: ```js _setInternalServer(_server: ViteDevServer) { // Rebind internal the server variable so functions reference the user // server instance after a restart server = _server }, _restartPromise: null, _importGlobMap: new Map(), _forceOptimizeOnRestart: false, _pendingRequests: new Map(), _fsDenyGlob: picomatch(config.server.fs.deny, { matchBase: true }), ``` **PoCs By IAP ZeroDay:** `npm run dev -- --host 0.0.0.0` Created dummy secret files, e.g. `custom.secret` and `production.pem` ```rb export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } } ``` ## 🥷 According CVeScores: Users with exposed dev servers on environments with case-insensitive filesystems Files protected by `server.fs.deny` are both discoverable, and accessible CVE-2024-23331 CWE-178 CWE-200 CWE-284 `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update 👾 Describe The Sumarry:
Affected of this project
EpicGames/BlenderToolsare vulnerable to Access Control Bypass via the server.fs.deny option. An attacker can gain access to sensitive files by requesting raw filesystem paths using case-augmented versions of filenames. This is only exploitable if the server is hosted on a case-insensitive filesystem, including those used by Windows. This bypass is similar to CVE-2023-34092 with surface area reduced to hosts having case-insensitive filesystems.Details
Since
picomatchdefaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. Seepicomatchusage, wherenocaseis defaulted tofalse:PoCs By IAP ZeroDay:
npm run dev -- --host 0.0.0.0Created dummy secret files, e.g.
custom.secretandproduction.pem🥷 According CVeScores:
Users with exposed dev servers on environments with case-insensitive filesystems Files protected by
server.fs.denyare both discoverable, and accessibleCVE-2024-23331
CWE-178
CWE-200
CWE-284
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N