# poc-cve-2024-23334
This repository contains a proof of concept about the exploitation of the aiohttp library for the reported vulnerability CVE-2024-23334.

This was created for two reasons:
1. Educational purposes: for those who are starting in application security, it is helpful to see the steps to reproduce a vulnerability as well as understanding the concepts behind it.
2. Fixing steps: sharing mitigation steps in order to fix the issue.

For more information, visit my website:

## Requirements
- Install Docker
- Install Python3

## How to run the project locally.

1. Clone this repo locally.
2. Run the following command to build the image:

make build

3. Run the following command to run the container:

make run

If you want to run docker in detached mode, just run:

make rund

## Scenarios

1. **Make a request with the url modified to perform path traversal and exploit Local File Inclusion vulnerability (LFI)**: To
execute the exploit, run the following script:

python3 exploits/

By running the script, we are performing a RAW HTTP request to the server. We do it this way and not by using curl or accessing
directly in the browser because thse tools includes sanitizing and normalizing URLs before sending the HTTP request. This includes path Normalization:
tools like curl and browsers will process the URL path, removing sequences like .. that are used for directory traversal.
Therefore, a path like /static/../../../../../../../../../../../../etc/shadow will be normalized to /etc/shadow,
and since such a path does not typically exist as a resource on a standard web server, it results in a 404 error.

2. **There is already created a symlink to a restricted file, such as /etc/shadow.** This scenario is the most improbable,
but maybe someone internally from the company can leak information using this and people may not check the static logs.
And in case static file access is not logged, it is very difficult to identify when it was leaked.

The scenario created in this repo was just for explaining the vulnerability and prooving that it exists and is still exploitable.

3. **Someone can upload a symlink to the server and exploit.** This is a more real scenario, where what I do is to upload a symlink generated
on my computer, and then I access to that file so I can retrieve a file such as /etc/shadow.

The way of performing this is with a compressed file, so that way we are able to upload the symlink and, when uncompressed in the server, it generates that
same symlink. Uploading a symlink through curl directly as a link.jpeg file will only read the local file that the symlink is targeting and will upload
the original file instead. So, if we want to target a specific path of the server filesystem, we should be able to upload a compressed file, such as .zip or

To reproduce this second scenario, you have to follow these steps:

touch /etc/shadow   # It creates a file on your machine on the specified directory. Be sure that you don't replace an existing file.
ln -s /etc/shadow exploit.jpeg  # Creates a symlink with the /etc/shadow file and name it exploit.jpeg
zip -y exploit.jpeg  # Zip the symlink
curl -X POST -F "" http://localhost:8080/upload # Upload the zip file
curl -o shadow.txt http://localhost:8080/static/exploit.jpeg    # Access the symlink and, because aiohttp has the vulnerability, it returns the /etc/shadow from the server.

## Mitigations


## Development

In order to set up the project locally to develop, you have to:

1. Create virtual environment.

python3 -m venv env

2. Install dependencies.

pip3 install -r requirements.txt
pip3 install -r test-requirements.txt

## Resources