Apache Shiro安全漏洞(CVE-2020-13933)分析报告<\/h1>

漏洞概述<\/h2>
CVE-2020-13933是Apache Shiro框架中的一个授权绕过漏洞，该漏洞是之前CVE-2020-11989补丁修复不彻底导致的。由于Shiro和Spring框架在处理URL时存在差异，攻击者可以通过构造特殊的HTTP请求绕过授权机制，访问未授权的资源。<\/p>

影响范围<\/h2>

Apache Shiro版本 < 1.6.0<\/li>

在Spring框架中仅使用Shiro进行鉴权的系统<\/li> <\/ul>

漏洞原理<\/h2>

根本原因<\/h3>

漏洞的根本原因在于Shiro和Spring框架对URI处理方式的不同：<\/p>

Shiro处理流程<\/strong>：<\/p>

对URI进行解码<\/li>
去除分号<\/li>
然后进行权限检查<\/li> <\/ul> <\/li>

Spring处理流程<\/strong>：<\/p>

先检查URI中是否存在分号（但无法识别编码后的分号）<\/li>
然后进行解码<\/li>
最后进行路由匹配<\/li> <\/ul> <\/li> <\/ol>
处理差异示例<\/h3>
当传入编码后的URI如\/admin\/%3bpage<\/code>时：<\/p>
Shiro处理<\/strong>：<\/p> 解码为\/admin\/;page<\/code><\/li> 去除分号后变为\/admin\/page<\/code><\/li> 由于配置的规则是\/admin\/*<\/code>需要认证，而\/admin\/page<\/code>会被正确拦截<\/li> <\/ul> <\/li> Spring处理<\/strong>：<\/p> 直接检查原始URI\/admin\/%3bpage<\/code>中是否有分号（未解码，找不到）<\/li> 解码后得到\/admin\/;page<\/code><\/li> 最终匹配到\/admin\/{name}<\/code>路由，返回"admin page"<\/li> <\/ul> <\/li> <\/ul> 漏洞复现<\/h2> 环境配置<\/h3> @Bean<\/span> <\/span><\/span>ShiroFilterFactoryBean shiroFilterFactoryBean<\/span>(){<\/span> <\/span><\/span> ShiroFilterFactoryBean bean =<\/span> new<\/span> ShiroFilterFactoryBean();<\/span> <\/span><\/span> bean.<\/span>setSecurityManager<\/span>(<\/span>securityManager());<\/span> <\/span><\/span> bean.<\/span>setLoginUrl<\/span>(<\/span>"\/login"<\/span>);<\/span> <\/span><\/span> bean.<\/span>setSuccessUrl<\/span>(<\/span>"\/index"<\/span>);<\/span> <\/span><\/span> bean.<\/span>setUnauthorizedUrl<\/span>(<\/span>"\/unauthorizedurl"<\/span>);<\/span> <\/span><\/span> Map<<\/span>String,<\/span> String><\/span> map =<\/span> new<\/span> LinkedHashMap<>();<\/span> <\/span><\/span> map.<\/span>put<\/span>(<\/span>"\/doLogin\/"<\/span>,<\/span> "anon"<\/span>);<\/span> \/\/ 匿名访问 <\/span><\/span><\/span><\/span> map.<\/span>put<\/span>(<\/span>"\/admin\/*"<\/span>,<\/span> "authc"<\/span>);<\/span> \/\/ 需要认证 <\/span><\/span><\/span><\/span> bean.<\/span>setFilterChainDefinitionMap<\/span>(<\/span>map);<\/span> <\/span><\/span> return<\/span> bean;<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>@GetMapping<\/span>(<\/span>"\/admin\/{name}"<\/span>)<\/span> <\/span><\/span>public<\/span> String admin<\/span>(<\/span>@PathVariable<\/span> String name)<\/span> {<\/span> <\/span><\/span> return<\/span> "admin page"<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>@GetMapping<\/span>(<\/span>"\/login"<\/span>)<\/span> <\/span><\/span>public<\/span> String login<\/span>()<\/span> {<\/span> <\/span><\/span> return<\/span> "please login!"<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>攻击方式<\/h3> 构造如下请求即可绕过Shiro的认证检查：<\/p> GET \/admin\/%3bpage HTTP\/1.1 Host: vulnerable-app.com <\/code><\/pre> 调试分析<\/h2> Shiro处理流程<\/strong>：<\/p> 对URI进行解码并去除分号<\/li> 由于\/admin\/<\/code>没有匹配到具体资源路径，请求会通过过滤器到达Spring<\/li> <\/ul> <\/li> Spring处理流程<\/strong>：<\/p> 获取解码前的原始URI<\/li> 在decodeAndCleanUriString<\/code>方法中：先检查URI中是否存在分号（无法识别编码后的%3b<\/code>）<\/li> 因此不进入if分支，返回带编码的URI<\/li> <\/ul> <\/li> 然后进行解码，得到\/admin\/;page<\/code><\/li> 最终匹配到\/admin\/{name}<\/code>路由<\/li> <\/ul> <\/li> <\/ol> 漏洞修复<\/h2> Apache Shiro在1.6.0版本中修复了此漏洞，主要措施是：<\/p> 添加了InvalidRequestFilter<\/code>类<\/li> 该过滤器从全局上对以下字符进行过滤：分号<\/li> 反斜杠<\/li> 非ASCII字符<\/li> <\/ul> <\/li> <\/ol> 防御建议<\/h2> 升级Apache Shiro到1.6.0或更高版本<\/li> 如果无法立即升级，可以自定义过滤器对特殊字符进行过滤<\/li> 统一应用层和框架层的URI处理逻辑<\/li> 实施深度防御策略，不单独依赖Shiro的权限控制<\/li> <\/ol> 总结<\/h2> CVE-2020-13933展示了框架间处理逻辑差异可能导致的安全问题。开发人员应当：<\/p> 了解所用框架的安全特性<\/li> 及时应用安全补丁<\/li> 实施多层防御策略<\/li> 定期进行安全审计和渗透测试<\/li> <\/ul>