{"id":2545,"date":"2021-07-17T20:12:42","date_gmt":"2021-07-17T14:42:42","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=2545"},"modified":"2021-07-17T20:12:44","modified_gmt":"2021-07-17T14:42:44","slug":"sensitive-cloudflare-cdn-bugs-grant-compromise-of-12-of-all-sites","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/sensitive-cloudflare-cdn-bugs-grant-compromise-of-12-of-all-sites\/","title":{"rendered":"Sensitive Cloudflare CDN Bugs Grant Compromise of 12% of all sites"},"content":{"rendered":"\n
Cloudflare has fixed a critical vulnerability in its free and open-source CDNJS probably impacting 12.7% of all the websites on the internet. CDNJS deliver million of websites with over 4,000 JavaScript and CSS libraries preserved publicly on GitHub, creating it the second-largest JavaScript CDN.<\/p><\/p>\n\n\n\n
The vulnerability exploits negotiate publishing packages to Cloudflare\u2019s CDNJS using GitHub and npm, to trigger a Path Traversal vulnerability, and eventually remote code execution. In case exploited, the vulnerability would lead to complete negotiation of CDNJS infrastructures.<\/p><\/p>\n\n\n\n
From \u201cZIP Slip\u201d to remote code execution <\/strong><\/h2>\n\n\n\n
This week, security researcher Ryotak explains how he was able to find a method to completely negotiate Cloudflare\u2019s CDJNS network while researching supply-chain attacks. Content delivery networks (CDNs) executes a critical role in maintaining the security, availability of the Internet as a broad majority of websites rely on these services to load popular JavaScript libraries and CSS scripts.<\/p><\/p>\n\n\n\n
CDNs can become a choice of targets for adversaries as, if compromised, the attack can have far-reaching limitations for many websites, online stores, and their customers. While glancing over cdnjs.com, RyotaK noticed that for libraries that did not yet exist in CDNJS, he could advise the addition of a new library via the CDNJS GitHub repository.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
After going through this GitHub repository and the adjacent ones that together make the CDNJS ecosystem work, Ryotak finds a way to trick the servers into running the arbitrary code. Particularly, the investigator studied the scripts present in cdjns\/bot-ansible and cdjns\/tools, including an auto-update script that provides automatic retrieval of library updates. <\/p><\/p>\n\n\n\n
These scripts would periodically update the CDJNS server with newer versions of software libraries released by their authors on the corresponding npm registry.<\/p><\/p>\n\n\n\n
In other words, for every library published to CDNJS GitHub repo, its updated version would be downloaded from the linked npm registry, with the npm version also managed by the library author. Ryotak wondered what would appear if a library he had published to CDNJS had its corresponding npm version containing a Path Traversal exploit. Note, npm packages are published as TGZ (.tar.gz) archives which can easily be crafted with path traversal exploits hiding within.<\/p><\/p>\n\n\n\n
The investigator first published to npm, which would eventually get processed by CDJNS updates bots, the researcher inserted Bash scripts in strange-looking ways, These different ways are nothing other than Path Traversal exploits hidden inside ZIP\/TGZ archives, a concept well-known in 2018 as \u201cZIP Slip.\u201d<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
Once CDNJS servers processed the crafted \u201chey-sven\u201d npm archives, the data of these Bash scripts would be run on the server. But, the investigator did not want to mistakenly overwrite an existing script so he first utilized a symlink vulnerability to go through the data of the files he was about to overwrite, during the proof-of-concept (PoC) test.<\/p><\/p>\n\n\n\n
\u201cAs Git supports symbolic links by default, it may be possible to read arbitrary files from the cdjns library update server by adding symlink into the Git repository.\u201d<\/p><\/p>\n\n\n\n
\u201cIf the constantly executed script file is overwritten to run arbitrary commands, the automatic update process may be crashed, so I decided to go through the arbitrary file,\u201d the researcher said.<\/p><\/p>\n\n\n\n
As soon as his crafted PoC hit the server, Ryotak was able to suddenly dump sensitive secrets such as GITHUB_REPO_API_KEY and WORKERS_KV_API_TOKEN into scripts served by the CDN at https:\/\/cdjns.clodflare.com\/<\/a>…<\/p><\/p>\n\n\n\n
![\"Sensitive-Cloudflare-CDN-Bugs-Grant-Compromise-of-12-of-all-sites-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Sensitive-Cloudflare-CDN-Bugs-Grant-Compromise-of-12-of-all-sites-image1-1024x448.jpg\")
<\/figure><\/div>\n\n\n\n![\"Sensitive-Cloudflare-CDN-Bugs-Grant-Compromise-of-12-of-all-sites-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Sensitive-Cloudflare-CDN-Bugs-Grant-Compromise-of-12-of-all-sites-image2-1024x95.jpg\")
<\/figure><\/div>\n\n\n\n![\"Sensitive-Cloudflare-CDN-Bugs-Grant-Compromise-of-12-of-all-sites-image3\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Sensitive-Cloudflare-CDN-Bugs-Grant-Compromise-of-12-of-all-sites-image4-1024x49.png\")
<\/figure><\/div>\n\n\n\n![\"Sensitive-Cloudflare-CDN-Bugs-Grant-Compromise-of-12-of-all-sites-image4\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Sensitive-Cloudflare-CDN-Bugs-Grant-Compromise-of-12-of-all-sites-image3-1024x540.jpg\")
<\/figure><\/div>\n\n\n\n