Update and Fixed BlenderTools dev server option server.fs.deny
can be bypassed when hosted on case-insensitive filesystem
#720
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update 👾 Describe The Sumarry:
Affected of this project
EpicGames/BlenderTools
are vulnerable to Access Control Bypass via the server.fs.deny option. An attacker can gain access to sensitive files by requesting raw filesystem paths using case-augmented versions of filenames. This is only exploitable if the server is hosted on a case-insensitive filesystem, including those used by Windows. This bypass is similar to CVE-2023-34092 with surface area reduced to hosts having case-insensitive filesystems.Details
Since
picomatch
defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. Seepicomatch
usage, wherenocase
is defaulted tofalse
:PoCs By IAP ZeroDay:
npm run dev -- --host 0.0.0.0
Created dummy secret files, e.g.
custom.secret
andproduction.pem
🥷 According CVeScores:
Users with exposed dev servers on environments with case-insensitive filesystems Files protected by
server.fs.deny
are both discoverable, and accessibleCVE-2024-23331
CWE-178
CWE-200
CWE-284
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N