AppSecSchool:
How to extract a patch?

Enjoy our additional free content from our channel

How to extract a patch?

In this tutorial, we unravel the efficient and straightforward method of extracting a patch from an advisory to grasp the issue in depth, an excellent initiation into the realm of code review. The skill is not only potent for understanding vulnerabilities better but stands instrumental for content creators and those gearing up for a role in application security.

We base our tutorial on the specific case of CVE-2023-41080, an open redirect issue in Apache Tomcat associated with FORM authentication. To set the groundwork, we delve into the critical step of procuring the advisory details meticulously to guide our subsequent steps.

Identifying our versions as the vulnerable 11.0.0-M10 and the patched 11.0.0-M11, we proceed to locate the source code through a straightforward search leading us to the Apache Tomcat repository on GitHub. Although the GitHub UI is an option, we emphasize the benefits of working locally in a shell for this process.

We then clone the project using 'git clone', acknowledging the substantial time this process might take owing to the size of the project. Upon completion, we navigate to the directory and employ 'git tag' to list all the available tags. To zero in on our tags, we utilize 'grep' with the '11.0.0' filter, facilitating the display of our target tags - 11.0.0-M10 and 11.0.0-M11.

With our versions at hand, we use 'git diff' accompanied by our version numbers to draw out all the alterations between these versions, directing this output to a file named CVE-2023-41080.diff. A quick analysis reveals around 8000 lines in our patch, presenting a substantial data set for our investigation. To pinpoint the changed files, we apply 'grep +++', directing our attention to a file by the name FormAuthenticator.java.

This file aligns with the FORM authentication issue under scrutiny. A detailed inspection of the diff file and the specific java file unveils the solution implemented to rectify the problem – the removal of ‘//’ at the onset of strings to prevent relative redirects.

In conclusion, this tutorial imparts a straightforward technique to extract a patch, offering clear insights into the remedies adopted to amend a security concern. Equipped with this knowledge, you can now explore potential bypass possibilities, deepening your understanding and expertise in code review and application security.