Ruby-SAML Bypass && GitLab SAML Bypass(CVE-2024-45409)

admin
admin
admin
139482
文章
114
评论
2024年10月12日10:10:00评论43 views字数 7988阅读26分37秒阅读模式
注:由于本地源码启动死活有问题故后续分析全为静态分析,故可能存在部分错误之处。
漏洞复现

Ruby-SAML Bypass && GitLab SAML Bypass(CVE-2024-45409)

漏洞分析

漏洞流程

在Gitlab中引入了omniauth这个三方库实现SAML认证功能(关于该库详细信息:https://github.com/omniauth/omniauth-saml),其被以中间键(middleware)形式注册于Gitlab后端rails-server上,在请求过程中会调用OmniAuth::Strategy#call方法,依次调用栈大致如下

OmniAuth::Strategy#callOmniAuth::Strategy#call!OmniAuth::Strategy#callback_callOmniAuth::Strategies::SAML#callback_phase

OmniAuth::Strategies::SAML#callback_phase方法中进行了如下处理,可以看到获取请求参数SAMLResponse并调用handle_response处理

def callback_phase        raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing") unless request.params["SAMLResponse"]        with_settings do |settings|# Call a fingerprint validation method if there's one          validate_fingerprint(settings) if options.idp_cert_fingerprint_validator          handle_response(request.params["SAMLResponse"], options_for_response_object, settings) dosuperendendrescue Omnidef handle_response(raw_response, opts, settings)        response = OneLogin::RubySaml::Response.new(raw_response, opts.merge(settings: settings))        response.attributes["fingerprint"] = settings.idp_cert_fingerprint        response.soft = false# 注意此处,SAMLResponse校验,也就是这里面存在绕过        response.is_valid?        @name_id = response.name_id        @session_index = response.sessionindex        @attributes = response.attributes        @response_object = response        session["saml_uid"] = @name_id        session["saml_session_index"] = @session_indexyieldend

handle_response中也就出现了本次漏洞核心点,此处调用OneLogin::RubySaml::Response构造方法进行SAMLResponse解析,而本次漏洞就出现在这个Ruby-Saml解析库上,这里先完整梳理一下流程,稍作细节分析,在此处解析完毕后最终来到app/controllers/omniauth_callbacks_controller.rb中处理,在控制器类中存在如下全局代码片段

  AuthHelper.providers_for_base_controller.each do |provider|    alias_method provider, :handle_omniauthenddef handle_omniauthif ::AuthHelper.saml_providers.include?(oauth['provider'].to_sym)      samlelse      omniauth_flow(Gitlab::Auth::OAuth)endend

在此处将调用saml方法继续处理

// OmniauthCallbacksController#saml def saml    omniauth_flow(Gitlab::Auth::Saml)  rescue Gitlab::Auth::Saml::IdentityLinker::UnverifiedRequest    redirect_unverified_saml_initiation  end

此处继续调用OmniauthCallbacksController#omniauth_flow方法处理

// OmniauthCallbacksController#omniauth_flow  def omniauth_flow(auth_module, identity_linker: nil)    if fragment = request.env.dig('omniauth.params', 'redirect_fragment').presence      store_redirect_fragment(fragment)end    store_redirect_toif current_userreturn render_403 unless link_provider_allowed?(oauth['provider'])      // gitlab.rb  gitlab_rails['omniauth_providers']      set_session_active_since(oauth['provider']) if ::AuthHelper.saml_providers.include?(oauth['provider'].to_sym)      track_event(current_user, oauth['provider'], 'succeeded')if Gitlab::CurrentSettings.admin_modereturn admin_mode_flow(auth_module::User) if current_user_mode.admin_mode_requested?end      identity_linker ||= auth_module::IdentityLinker.new(current_user, oauth, session)return redirect_authorize_identity_link(identity_linker) if identity_linker.authorization_required?      link_identity(identity_linker)      // auth_module::User => Gitlab::Auth::Saml::User      current_auth_user = build_auth_user(auth_module::User)      set_remember_me(current_user, current_auth_user)      store_idp_two_factor_status(current_auth_user.bypass_two_factor?)if identity_linker.changed?        redirect_identity_linkedelsif identity_linker.failed?        redirect_identity_link_failed(identity_linker.error_message)else        redirect_identity_existsendelse      // auth_module::User => Gitlab::Auth::Saml::User      sign_in_user_flow(auth_module::User)endend

在该方法中在进行模块名拼接进而拼接出模块名并继续调用OmniauthCallbacksController#sign_in_user_flow方法

// OmniauthCallbacksController#sign_in_user_flow  def sign_in_user_flow(auth_user_class)    auth_user = build_auth_user(auth_user_class)# 创建Gitlab::Auth::Saml::User实例    new_user = auth_user.new?# 调用Gitlab::Auth::Saml::User#find_and_update!方法    @user = auth_user.find_and_update!if auth_user.valid_sign_in?# In this case the `#current_user` would not be set. So we can't fetch it# from that in `#context_user`. Pushing it manually here makes the information# available in the logs for this request.      Gitlab::ApplicationContext.push(user: @user)      track_event(@user, oauth['provider'], 'succeeded')      Gitlab::Tracking.event(self.class.name, "#{oauth['provider']}_sso", user: @user) if new_user      set_remember_me(@user, auth_user)      set_session_active_since(oauth['provider']) if ::AuthHelper.saml_providers.include?(oauth['provider'].to_sym)if @user.two_factor_enabled? && !auth_user.bypass_two_factor?        prompt_for_two_factor(@user)        store_idp_two_factor_status(false)elseif @user.deactivated?          @user.activate          flash[:notice] = _('Welcome back! Your account had been deactivated due to inactivity but is now reactivated.')        end# session variable for storing bypass two-factor request from IDP        store_idp_two_factor_status(true)        accept_pending_invitations(user: @user) if new_user        persist_accepted_terms_if_required(@user) if new_user        perform_registration_tasks(@user, oauth['provider']) if new_user        sign_in_and_redirect_or_verify_identity(@user, auth_user, new_user)      endelse      fail_login(@user)    end  rescue Gitlab::Auth::OAuth::User::IdentityWithUntrustedExternUidError    handle_identity_with_untrusted_extern_uid  rescue Gitlab::Auth::OAuth::User::SigninDisabledForProviderError    handle_disabled_provider  rescue Gitlab::Auth::OAuth::User::SignupDisabledError    handle_signup_error  end

Gitlab::Auth::OAuth::User#find_and_update!中逐层调用根据前期解析SAMResponse得到的信息构造用户对象

// Gitlab::Auth::OAuth::User#find_and_update!  def find_and_update!    save if should_save?    gl_user  end// Gitlab::Auth::OAuth::User#gl_user        def gl_userreturn @gl_user if defined?(@gl_user)          @gl_user = find_user        end

最终调用Gitlab::Auth::Saml::User#find_user获取具体用户

// Gitlab::Auth::Saml::User#find_user        def find_user          user = find_by_uid_and_provider# github.rb  gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']# 当开启omniauth_auto_link_user后会通过邮箱去寻找对应用户作为认证的目标用户# 注意此处user||=也就是当user为null的时候才会执行后面表达式          user ||= find_by_email if auto_link_saml_user?          user ||= find_or_build_ldap_user if auto_link_ldap_user?# 开启注册功能的时候会自定进行用户创建          user ||= build_new_user if signup_enabled?if user# 设置用户external属性            user.external = !(auth_hash.groups & saml_config.external_groups).empty? if external_users_enabled?end          userend// Gitlab::Auth::OAuth::User#find_by_email        def find_by_emailreturn unless auth_hash.has_attribute?(:email)          ::User.find_by(email: auth_hash.email.downcase)end

在这几步中email信息存在于SAMLResponse中,也就是我们的切入点,通过伪造SAMLResponse将其中邮箱信息伪造为目标用户进而实现权限绕过。

Ruby-SAML 数据解析不当

OneLogin::RubySaml::Response将对我们的SAMLResponse进行解析
// OneLogin::RubySaml::Response#initialize      def initialize(response, options = {})        raise ArgumentError.new("Response cannot be nil") if response.nil?        @errors = []        @options = options        @soft = trueunless options[:settings].nil?          @settings = options[:settings]unless @settings.soft.nil?            @soft = @settings.soft          end        end# Base64解码并解析xml        @response = decode_raw_saml(response, settings)# 校验是否合法        @document = XMLSecurity::SignedDocument.new(@response, @errors)if assertion_encrypted?          @decrypted_document = generate_decrypted_document        end      end
在前面OmniAuth::Strategies::SAML#callback_phase方法中会调用OneLogin::RubySaml::Response#is_valid?进行SAMLResponse校验,该方法逻辑如下
def is_valid?(collect_errors = false)        validate(collect_errors)enddef validate(collect_errors = false)        reset_errors!return false unless validate_response_state        validations = [:validate_version,:validate_id,:validate_success_status,:validate_num_assertion,:validate_no_duplicated_attributes,:validate_signed_elements,:validate_structure,:validate_in_response_to,:validate_one_conditions,:validate_conditions,:validate_one_authnstatement,:validate_audience,:validate_destination,:validate_issuer,:validate_session_expiration,:validate_subject_confirmation,:validate_name_id,:validate_signature        ]if collect_errors          validations.each { |validation| send(validation) }          @errors.empty?else          validations.all? { |validation| send(validation) }endend
本次漏洞修复的主要代码就在这些校验方法里面(参考:https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae#diff-091398471b63b720a2fd9771bace3c21c3a590210259af1bf38446c1e0cf7598L240
Ruby-SAML Bypass && GitLab SAML Bypass(CVE-2024-45409)
如上图所示,修复代码中修改xpath节点获取获取表达式,使用//将从xml文档整个上下文去寻找该节点,而./则会从某个节点之下去寻找节点,而伪造的SAMLResponse中就是通过修改SMALResponse在原本SAMLReponse中dsig:DigestValue前面添加一个dsig:DigestValue绕过校验
Ruby-SAML Bypass && GitLab SAML Bypass(CVE-2024-45409)
漏洞利用脚本伪造的
Ruby-SAML Bypass && GitLab SAML Bypass(CVE-2024-45409)

坑点

目前公开的漏洞相关漏洞存在两个,一个为nuclei,还有一个是python脚本版本(Github搜索漏洞编号即可搜索到),两个脚本均存在一定BUG,nuclei相关脚本未修改校验时间,导致可能出现利用失败,另外一个python脚本属性修改不全面,存在失败场景,如下为python版本漏洞利用脚本修改后数据示例

Ruby-SAML Bypass && GitLab SAML Bypass(CVE-2024-45409)

结语

最近换螺丝厂子了,有点忙,没时间写啥东西,还有就是感谢Nacos那篇文章打赏的大哥(大哥真豪!)。

原文始发于微信公众号(安全之道):Ruby-SAML Bypass && GitLab SAML Bypass(CVE-2024-45409)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月12日10:10:00
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Ruby-SAML Bypass && GitLab SAML Bypass(CVE-2024-45409)https://cn-sec.com/archives/3255822.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息