猫宁i Morning Shiro Configuration Path Traversal Vulnerability Allowing Unauthenticated Remote Command Execution

A critical vulnerability has been identified in 猫宁i Morning versions up to bc782730c74ff080494f145cc363a0b4f43f7d3e. The issue arises from an outdated Apache Shiro configuration that permits anonymous access to static paths. This flaw allows attackers to perform path traversal, bypass authentication, and access sensitive endpoints. The vulnerability is compounded by unsafe deserialization in Fastjson, enabling the execution of arbitrary commands on the server via crafted payloads. The vulnerability is present in the Shiro Configuration component, specifically through the '/index' path, which is normally restricted to administrators.

Impact

Exploitation of this vulnerability leads to unauthenticated remote command execution on the server.

Reproduction

To reproduce this vulnerability, first exploit the path traversal flaw by accessing the '/static/..;/index' route, which bypasses authentication and reaches the sensitive '/index' endpoint. Then, upload a file through the '/uploads/avatar' endpoint, including a malicious payload in the 'avatar_data' field. The payload should be crafted to exploit the Fastjson deserialization vulnerability, using the 'com.sun.rowset.JdbcRowSetImpl' gadget to perform a JNDI lookup to a remote LDAP server, triggering command execution on the server.