Table of contents
Disclaimer: This article is for learning and reference only. All resources involved in it are from the Internet. Please do not use them for any illegal acts, otherwise you will bear the corresponding consequences yourself, and I do not assume any legal and joint and several liabilities. bold style
Vulnerability description
Nacos is a new open source project launched by Alibaba. It is a dynamic service discovery, configuration management and service management platform that makes it easier to build cloud-native applications. Dedicated to helping discover, configure, and manage microservices. Nacos provides a set of easy-to-use feature sets that can quickly implement dynamic service discovery, service configuration, service metadata, and traffic management.
This vulnerability occurs when nacos performs authentication and authorization operations, it will determine whether the requested user-agent is "Nacos-Server", and if so, no authentication will be performed. The original intention of the developer is to handle some server-to-server requests. However, because the configuration is too simple, and the negotiated user-agent is set to Nacos-Server, which is directly hard-coded in the code, resulting in the emergence of vulnerabilities. And using this unauthorized vulnerability, an attacker can obtain sensitive information such as username and password.
Sphere of influence
<= Nacos 2.0.0-ALPHA.1
< Nacos 1.4.1
Environment build
The vulnerability environment is built using docker, first write the docker-compose.yml configuration file
version: "3"
services:
nacos:
restart: always
image: nacos/nacos-server:1.4.0
container_name: nacos
ports:
- 8848:8848
environment:
MODE: standalone
Then, execute the command docker-compose up -d to pull the image and start the container
After the container is up, visit the browser
Vulnerability recurrence
1. View user list (including password)
If you are not logged in, the browser accesses the following interface
http://192.168.40.86:8848/nacos/v1/auth/users?pageNo=1&pageSize=1
2. Add new users
Burp packet capture
Then, modify the package as follows, after sending, the server feedbacks that the increase is successful
Continue to check the user list to confirm that the new user test1 has been successfully added
Use test1/test1 to log in to nacos, and the login is successful