Report a security vulnerability in nacos to bypass authentication(identity) again #4701
Comments
因为前面的代码是用来鉴别是否是服务端请求的,如果不是就需要走默认鉴权了。 这里修复如果把getPath那个异常抛出去, path那里不能返回null。 |
应该是的,因为spring security已经帮忙把脏字符拦截了,理论上这样可以解决这个问题,但是我不能百分百断定,因为spring security的代码我还没有完全研究过,有可能后续还会存在绕过方法。 |
|
比如多加一个'/'或者通过/v1/../v1/的方式,目前spring security都会拦截掉的,所以这些feature无法绕过,但是我不确定有没有更特别的方式可以绕过spring security |
|
在PR进行了修复
|
|
1.4.1刚发布, 会直接在1.4.1进行hotfix。 请用户直接下载最新的1.4.1版本进行部署升级。 |
|
|
* 'develop' of https://github.com/alibaba/nacos: Use SafeConstructor to parse yaml configuration for AbstractConfigChangeListener (alibaba#4753) [ISSUE alibaba#3922] method createServiceIfAbsent in ServiceManager require sync (alibaba#4713) fix cloning configuration last desc (alibaba#4697) [ISSUE alibaba#4661]configServletInner#doGetConfig code optimization (alibaba#4666) Use revision to set version and upgrade to 1.4.2-SNAPSHOT (alibaba#4711) Revert interceptor all ui problem Fix alibaba#4701 (alibaba#4703) delete comment. fix metadata batch operation may delete instance problem. Upgrade to 1.4.1 (alibaba#4695) fix alibaba#4686 (alibaba#4692) Build nacos console front for 1.4.1 (alibaba#4690)
…op-import-v1 * 'develop' of https://github.com/alibaba/nacos: Use SafeConstructor to parse yaml configuration for AbstractConfigChangeListener (alibaba#4753) [ISSUE alibaba#3922] method createServiceIfAbsent in ServiceManager require sync (alibaba#4713) fix cloning configuration last desc (alibaba#4697) [ISSUE alibaba#4661]configServletInner#doGetConfig code optimization (alibaba#4666) Use revision to set version and upgrade to 1.4.2-SNAPSHOT (alibaba#4711) Revert interceptor all ui problem Fix alibaba#4701 (alibaba#4703) delete comment. fix metadata batch operation may delete instance problem. Upgrade to 1.4.1 (alibaba#4695) fix alibaba#4686 (alibaba#4692) Build nacos console front for 1.4.1 (alibaba#4690) For checkstyle fix: fix Jraft WriteRequest type problem. Add server identity to replace user-agent white list. (alibaba#4683)
|
Under 3. loopholes reproduce I believe you want:
not
otherwise |
---------------------------------------------------------------------------- english
Hello, I’m threedr3am. I found that the latest version 1.4.1 of nacos still has a bypass problem for the serverIdentity key-value repair mechanism that bypasses security vulnerabilities in User-Agent. The custom key-value authentication of serverIdentity is enabled in nacos. Later, through the special url structure, it is still possible to bypass the restriction to access any http interface.
By viewing this function, you need to add the configuration
nacos.core.auth.enable.userAgentAuthWhite:falsein application.properties to avoid the ```User-Agent: Nacos-Server`'' bypassing authentication safe question.But after turning on the mechanism, I found from the code that I can still bypass it under certain circumstances, make it invalid, and call any interface. Through this vulnerability, I can bypass the authentication and do:
Call the add user interface, add a new user (
POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test), and then use the newly added user to log in to the console, Access, modify, and add data.1. Vulnerability details
The problem mainly occurs in
com.alibaba.nacos.core.auth.AuthFilter#doFilter:As you can see, the above three if else branches:
The first one is
authConfigs.isEnableUserAgentAuthWhite(), its default value is true, when the value is true, it will judge whether the request header User-Agent matchesUser-Agent: Nacos-Server`` `, if it matches, skip all subsequent logic and executechain.doFilter(request, response);```The second one is
StringUtils.isNotBlank(authConfigs.getServerIdentityKey()) && StringUtils.isNotBlank(authConfigs.getServerIdentityValue())`, which is nacos 1.4.1 version forUser-Agent: Nacos- Server``` Simple fix for security issuesThe third one is to respond directly to the request to deny access when the previous two conditions are not met
The problem appears in the second branch. You can see that when the developer of nacos adds the configuration
nacos.core.auth.enable.userAgentAuthWhite:false`'' in application.properties, the simple key-value authentication mechanism is turned on Then, it will get a value from the http header according to thenacos.core.auth.server.identity.keyconfigured by the developer, and then go to thenacos.core.auth.server. identity.value``` is matched, if it does not match, it will not enter the branch execution:But the problem is precisely here. The logic here should be to directly return denied access when there is a mismatch, but in fact we did not do this, which allows us to bypass the provision of conditions later.
Looking further down, the code comes to:
As you can see, there is a judgment
method == null, as long as this condition is met, the subsequent authentication code will not go to.By looking at the
methodsCache.getMethod(req)code implementation, I found a method that can make the returned method nullcom.alibaba.nacos.core.code.ControllerMethodsCache#getMethod
In this code, you can clearly see that the return of the method value depends on
The key of urlKey, whether the mapping value can be obtained from ConcurrentHashMap of urlLookup
In the composition of urlKey, there is a part of path, and there is a problem with the generation of this part. It is obtained in the following way:
A normal visit, such as
curl -XPOST'http://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test', the path obtained will be/nacos/v1/auth/users, and through a specially constructed URL, such ascurl -XPOST'http://127.0.0.1:8848/nacos/v1/auth/users/?username=test&password= test' --path-as-is, the path will be/nacos/v1/auth/users/In this way, the path will be able to control the trailing slash'/', resulting in the method cannot be obtained from the ConcurrentHashMap urlLookup, why? Because basically all RequestMappings in nacos do not end with a slash'/', only The RequestMapping at the end of the non-slanted bar'/' exists and is stored in the ConcurrentHashMap of urlLookup, then the outermost
method == nullcondition will be satisfied, thus bypassing the authentication mechanism.2. The scope of the vulnerability
Sphere of influence: 1.4.1
3. loopholes reproduce
As you can see, the authentication is bypassed and the user list data is returned
As you can see, authentication has been bypassed and new users have been added
As you can see, in the returned user list data, there is one more user we created by bypassing authentication.
http://127.0.0.1:8848/nacos/, log in to the new account, and you can do anything---------------------------------------------------------------------------- 中文
你好,我是threedr3am,我发现nacos最新版本1.4.1对于User-Agent绕过安全漏洞的serverIdentity key-value修复机制,依然存在绕过问题,在nacos开启了serverIdentity的自定义key-value鉴权后,通过特殊的url构造,依然能绕过限制访问任何http接口。
通过查看该功能,需要在application.properties添加配置
nacos.core.auth.enable.userAgentAuthWhite:false,才能避免User-Agent: Nacos-Server绕过鉴权的安全问题。但在开启该机制后,我从代码中发现,任然可以在某种情况下绕过,使之失效,调用任何接口,通过该漏洞,我可以绕过鉴权,做到:
调用添加用户接口,添加新用户(
POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test),然后使用新添加的用户登录console,访问、修改、添加数据。一、漏洞详情
问题主要出现在
com.alibaba.nacos.core.auth.AuthFilter#doFilter:可以看到,上面三个if else分支:
第一个是
authConfigs.isEnableUserAgentAuthWhite(),它默认值为true,当值为true时,会判断请求头User-Agent是否匹配User-Agent: Nacos-Server,若匹配,则跳过后续所有逻辑,执行chain.doFilter(request, response);第二个是
StringUtils.isNotBlank(authConfigs.getServerIdentityKey()) && StringUtils.isNotBlank(authConfigs.getServerIdentityValue()),也就是nacos 1.4.1版本对于User-Agent: Nacos-Server安全问题的简单修复第三个是,当前面两个条件都不符合时,对请求直接作出拒绝访问的响应
问题出现在第二个分支,可以看到,当nacos的开发者在application.properties添加配置
nacos.core.auth.enable.userAgentAuthWhite:false,开启该key-value简单鉴权机制后,会根据开发者配置的nacos.core.auth.server.identity.key去http header中获取一个value,去跟开发者配置的nacos.core.auth.server.identity.value进行匹配,若不匹配,则不进入分支执行:但问题恰恰就出在这里,这里的逻辑理应是在不匹配时,直接返回拒绝访问,而实际上并没有这样做,这就让我们后续去绕过提供了条件。
再往下看,代码来到:
可以看到,这里有一个判断
method == null,只要满足这个条件,就不会走到后续的鉴权代码。通过查看
methodsCache.getMethod(req)代码实现,我发现了一个方法,可以使之返回的method为nullcom.alibaba.nacos.core.code.ControllerMethodsCache#getMethod
这个代码里面,可以很明确的看到,method值的返回,取决于
urlKey这个key,是否能从urlLookup这个ConcurrentHashMap中获取到映射值
而urlKey的组成中,存在着path这一部分,而这一部分的生成,恰恰存在着问题,它是通过如下方式获得的:
一个正常的访问,比如
curl -XPOST 'http://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test',得到的path将会是/nacos/v1/auth/users,而通过特殊构造的url,比如curl -XPOST 'http://127.0.0.1:8848/nacos/v1/auth/users/?username=test&password=test' --path-as-is,得到的path将会是/nacos/v1/auth/users/通过该方式,将能控制该path多一个末尾的斜杆'/',导致从urlLookup这个ConcurrentHashMap中获取不到method,为什么呢,因为nacos基本全部的RequestMapping都没有以斜杆'/'结尾,只有非斜杆'/'结尾的RequestMapping存在并存入了urlLookup这个ConcurrentHashMap,那么,最外层的
method == null条件将能满足,从而,绕过该鉴权机制。二、漏洞影响范围
影响范围:
1.4.1
三、漏洞复现
可以看到,绕过了鉴权,返回了用户列表数据
可以看到,绕过了鉴权,添加了新用户
可以看到,返回的用户列表数据中,多了一个我们通过绕过鉴权创建的新用户
http://127.0.0.1:8848/nacos/,登录新账号,可以做任何事情regards,
threedr3am
The text was updated successfully, but these errors were encountered: