Share
## https://sploitus.com/exploit?id=DC17AA5A-9D33-5ECF-874A-23BAEC6A8042
Puma Header normalization CVE-2024-45614 確認
===

- advisory: https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
- 修正コミット: https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043


### 結果

[request.rb](requests.rb)の実行結果

#### duplicate
| 対象 | 結果 | 
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 2.2.2.2 |

#### under_score
| 対象 | 結果 | 
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 1.1.1.1 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 1.1.1.1 |
| pitchfork_rack2 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 1.1.1.1 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |

#### reverse_under_score
| 対象 | 結果 | 
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 1.1.1.1 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 1.1.1.1 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack2 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |

#### upper_case
| 対象 | 結果 | 
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 2.2.2.2 |

#### reverse_upper_case
| 対象 | 結果 | 
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 2.2.2.2 |

### 各サーバ起動

#### Puma

```
# CVE-2024-45614修正前 Rack2
$ cd puma_before_fix_rack2 
$ RACK_ENV=production bundle exec puma -p 9000 ../config.ru

# CVE-2024-45614修正前 Rack3
$ cd puma_before_fix_rack3 
$ RACK_ENV=production bundle exec puma -p 9001 ../config.ru

# CVE-2024-45614修正後 Rack2
$ cd puma_after_fix_rack2
$ RACK_ENV=production bundle exec puma -p 9002 ../config.ru

# CVE-2024-45614修正後 Rack3
$ cd puma_after_fix_rack2 
$ RACK_ENV=production bundle exec puma -p 9003 ../config.ru
```

#### Pitchfork

```
# Rack2
$ cd pitchfork_rack2 
$ RACK_ENV=production bundle exec pitchfork -p 9010 ../config.ru

# Rack3
$ cd pitchfork_rack3 
$ RACK_ENV=production bundle exec pitchfork -p 9011 ../config.ru
```

#### Unicorn

```
# Rack2
$ cd unicorn_rack2 
$ RACK_ENV=production bundle exec unicorn -p 9020 ../config.ru

# Rack3
# * 調査時のバージョンではRack3の対応は完了していないが、サーバは動く
$ cd unicorn_rack3 
$ RACK_ENV=production bundle exec unicorn -p 9021 ../config.ru
```      

#### Thin

```
# Rack2
$ cd thin_rack2 
$ RACK_ENV=production bundle exec thin start -p 9030 -R ../config.ru

# Rack3
# * 調査のバージョンではRack3に未対応であり、bundle installができない
```    

#### Falcon

* 確認しやすくするためにHTTP1で起動

```
# Rack2
$ cd falcon_rack2 
$ RACK_ENV=production bundle exec rackup --server falcon -p 9040 ../config.ru
# * 動かせていない

# Rack3
$ cd falcon_rack3 
$ RACK_ENV=production bundle exec rackup --server falcon -p 9041 ../config.ru
```  

#### Nginx

```
$ docker run --name heade_test_nginx -v $(pwd)/nginx.conf:/etc/nginx/nginx.conf:ro -d -p 9100:80 -p 9101:81 nginx 
```