Preface to the article
When I woke up this morning, I saw an article posted by "Qi An Xin CERT" titled "[Recurred] Nacos Identity Authentication Bypass Vulnerability Security Risk Notice". I clicked on it and looked at the vulnerability description and recurring payload, and found that this and In November 2022, we worked with Mr. Yao (@beetle) to test the new vulnerability found in Nacos historical vulnerabilities. However, the name we gave it at that time was not this one, but another more direct one (many people just take a look at it) You know what it is), here is just a brief introduction. Of course, the exp will not be given. If you are interested, you can build an environment and try it yourself. It is very simple.
Sphere of influence
Nacos 0.1.0 ~2.2.0
Conditions of use
Nacos deployed by the user does not modify the default token.secret.key
Vulnerability level
Above average (few external networks, mostly internal networks + direct interface operations without any authentication)
Vulnerability causes
Use the default token.secret.key attribute when building Nacos
Environment build
Download the installation file:
https://github.com/alibaba/nacos
Then execute the following command to start the environment
./startup.sh -m standalone
Then visit http://your-ip:8848/nacos. The default account password is: nacos/nacos
Vulnerability recurrence
Step 1: Get the username (you can use historical loopholes or guess by yourself)
Step 2: Send a request packet to reset the password
Step 3: Log in
Repair suggestions
1. Application switching intranet
2. Update to the latest version:
https://github.com/alibaba/nacos/releases/tag/2.2.0.1
3. Change the default value of token.secret.key in the application.properties file. For specific changes, please refer to: https://nacos.io/zh-cn/docs/v2/guide/user/auth.html