Skip to content

Instantly share code, notes, and snippets.

@spaze
Last active May 20, 2021 16:34
Show Gist options
  • Save spaze/fb6d8cdc296e0314b50f8b484bcd1385 to your computer and use it in GitHub Desktop.
Save spaze/fb6d8cdc296e0314b50f8b484bcd1385 to your computer and use it in GitHub Desktop.
CVE-2020-15227 nette/application RCE in-place patch
#!/bin/bash
# Find files in CVE-2020-15227 nette/application issue
# by @spazef0rze
# Run with `bash find-cve-2020-15227.sh`, works on Linux, FreeBSD, tested on Ubuntu 18.04, FreeBSD 11.4
# This is a universal finder for all affected versions.
# Requirements: find, grep, bash (might work with your default shell but YMMV)
# The fixes:
# https://github.com/nette/application/compare/v3.0.5...v3.0.6#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/application/compare/v2.4.15...v2.4.16#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/application/compare/v2.3.13...v2.3.14#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/application/compare/v2.2.9...v2.2.10#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/nette/compare/v2.1.12...v2.1.13#diff-0886800d8d2410f8fcffea5b2e996ee7
# https://github.com/nette/nette/compare/v2.0.18...v2.0.19#diff-0886800d8d2410f8fcffea5b2e996ee7
# The steps:
# find the file
# check if it has the code to be fixed, search for `if (!isset($params['callback'])) {`
# echo the filename if yes
find . \
-name MicroPresenter.php \
-exec grep --silent "^[[:space:]]\+if (\!isset(\$params\['callback'\])) {" {} \; \
-exec echo {} \;
#!/bin/bash
# In-place apply the CVE-2020-15227 nette/application patch
# by @spazef0rze
# Run with `bash update-cve-2020-15227.sh`, works on Linux, FreeBSD, tested on Ubuntu 18.04, FreeBSD 11.4
# This is a universal patcher for all affected versions.
# Requirements: find, grep, sed, bash (might work with your default shell but YMMV)
# The fixes:
# https://github.com/nette/application/compare/v3.0.5...v3.0.6#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/application/compare/v2.4.15...v2.4.16#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/application/compare/v2.3.13...v2.3.14#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/application/compare/v2.2.9...v2.2.10#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/nette/compare/v2.1.12...v2.1.13#diff-0886800d8d2410f8fcffea5b2e996ee7
# https://github.com/nette/nette/compare/v2.0.18...v2.0.19#diff-0886800d8d2410f8fcffea5b2e996ee7
# The steps:
# find the file (same as in the "find" script)
# check if it has the code to be fixed, search for `if (!isset($params['callback'])) {` (same as in the "find" script)
# echo the filename if yes (same as in the "find" script)
# create a backup file with a suffix, will create `MicroPresenter.php-nette-autoupdate-backup.<random digits>`
# replace the code above with `$callback = isset($params['callback']) ? $params['callback'] : null; if (!$callback instanceof \Closure) {`
# replace the error message because why not
# ...
# PROFIT!
# I love escaping single quotes inside single-quoted strings, '"'"' FTW HAHAHA NO
find . \
-name MicroPresenter.php \
-exec grep --silent "^[[:space:]]\+if (\!isset(\$params\['callback'\])) {" {} \; \
-exec echo {} \; \
-exec sed -i"-nette-autoupdate-backup.$RANDOM" 's/if (!isset($params\['"'"'callback'"'"'\])) {/$callback = isset($params\['"'"'callback'"'"'\]) ? $params\['"'"'callback'"'"'\] : null;\ if (!$callback instanceof \\Closure) { \/\/ patched to fix CVE-2020-15227/; s/Parameter callback is missing./Parameter callback is not a valid closure./' {} \;
@spaze
Copy link
Author

spaze commented Oct 13, 2020

@mariancerny
Copy link

mariancerny commented Oct 15, 2020

If you remove the extra \ at the end in update.sh, then it works on FreeBSD with the built in /bin/sh shell (and there is no need for bash). With the exception that $RANDOM won't work, but I don't care.
Works on FreeBSD 12.1 as well.

@spaze
Copy link
Author

spaze commented Oct 15, 2020

Thanks @mariancerny. I've removed the extra backslash, it wasn't there originally (there was one extra -exec, after the -exec sed one, without the trailing backslash). I've added a note that it might work with the default shell, and I'll leave the bash requirement there.

@f3l1x
Copy link

f3l1x commented Oct 16, 2020

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment