- vừa được xem lúc

CVE-2024-4142 Privilege Escalation in Jfrog Artifactory

0 0 12

Người đăng: Real Alpha Man

Theo Viblo Asia

When I was feeling bored and scrolling down the twitter, suddenly I catched up a status https://twitter.com/matthias_kaiser/status/1786264686146560251

Immediately I downloaded Jfrog artifactory to audit it.

1. Vulnerable fix

The code didn't change much, I got the change after a few minutes

image.png

Basically, in vulnerable version, Jfrog developer team checked the requested group names with the function AppliedPermissionsScopeToken.isIdentityToken, meanwhile in fixed one they removed that check.

Now let's start to find out what was happened.

2. Finding the source

I will summerize the way from source to that sink:

org.artifactory.rest.resource.token.TokenResource#createOrRefreshToken --> org.artifactory.rest.resource.token.TokenResource#createToken --> org.artifactory.security.access.AccessServiceImpl#createToken(org.artifactory.api.security.access.TokenSpec) --> org.artifactory.security.access.AccessServiceImpl#createToken(org.artifactory.api.security.access.TokenSpec, boolean, boolean) --> org.artifactory.security.access.AccessServiceImpl#assertLoggedInCanCreateToken --> org.artifactory.security.access.AccessServiceImpl#assertNonAdminUserCanCreateToken --> org.artifactory.security.access.AccessServiceImpl#assertValidScopeForNonAdmin(java.util.List<java.lang.String>) --> org.artifactory.security.access.AccessServiceImpl#assertValidGroupsForNonAdmin

The API that is handled by org.artifactory.rest.resource.token.TokenResource#createOrRefreshToken is /artifactory/api/security/token

This API is well described here https://jfrog.com/help/r/jfrog-platform-administration-documentation/access-tokens

This API is used to create a token, with the username and the scope is taken from user input (and basic authorization or bearer). The first parameter is username, which is equal with current context user

image.png

But, the funniest thing here is scope parameter, where user and input the scope for this API token. There are 9 types of scope that are accepted (well described in the above document, or you can take it when debugging)

image.png

I wont go to the detail of each one, but I will present more carefully about all that are related. The first 2 are applied-permissions/groups: and member-of-groups:, will assign group's permission for the token. And other is applied-permissions/user - provides user access. If left at the default setting, the token will be created with the user-identity scope, which allows users to identify themselves in the Platform but does not grant any specific access permissions.

We can grant one or more scopes for the token, by adding space character in scope value. It is handled by org.jfrog.access.util.TokenScopeUtils#splitScopeToList.

It checks if there is a character in the value of scope, it will break the string and add them to the list.

image.png

To sum up, if you want to grant permission of more than one group, you need to send a request with parameter like:

username=TEST&scope=member-of-groups:test%20applied-permissions/groups:readers

The scope will equal ["test","readers"].

Now, back to the vulnerable location.

image.png

I will explain briefly: they check if the number of group is not equal 1, or requested groups not contain *, and AppliedPermissionsScopeToken.isIdentityToken(scope) == false.

Go to org.artifactory.security.access.AppliedPermissionsScopeToken#isIdentityToken, it checks if scope has applied-permissions/user.

image.png

So, whenever in the scope has applied-permissions/user, the token is created (with permission of other groups we input).

Imagine if the server have a group with administrator permission, can we assign it to the token?

To verify my hypothesis, I created a uesrname test, a group named admin with admin privilege. Then I sent a request with 2 group: readers (test belongs to) and admin (test doesnt belong to)

image.png

The result show that it is not accepted. Then I changed to member-of-groups:admin%20applied-permissions/user

image.png

I got a token. Now, use that token to check if I can use it with admin privilege

image.png

Yes it is.

3. Summarize

This is a vulnerabilty that is hard to exploit in the real world in my opinion, because the server need to have a admin group first (we need to know the name), and enable for anonymous access if we want a full authentication bypass vulnerability.

I am not sure it is the original vulnerability of the author, maybe there is another way to exploit it with other scopes. Waiting for any experts to explain it if they did it.

Bình luận

Bài viết tương tự

- vừa được xem lúc

Tổng hợp các bài hướng dẫn về Design Pattern - 23 mẫu cơ bản của GoF

Link bài viết gốc: https://gpcoder.com/4164-gioi-thieu-design-patterns/. Design Patterns là gì. Design Patterns không phải là ngôn ngữ cụ thể nào cả.

0 0 302

- vừa được xem lúc

Học Spring Boot bắt đầu từ đâu?

1. Giới thiệu Spring Boot. 1.1.

0 0 277

- vừa được xem lúc

Cần chuẩn bị gì để bắt đầu học Java

Cần chuẩn bị những gì để bắt đầu lập trình Java. 1.1. Cài JDK hay JRE.

0 0 50

- vừa được xem lúc

Sử dụng ModelMapper trong Spring Boot

Bài hôm nay sẽ là cách sử dụng thư viện ModelMapper để mapping qua lại giữa các object trong Spring nhé. Trang chủ của ModelMapper đây http://modelmapper.org/, đọc rất dễ hiểu dành cho các bạn muốn tìm hiểu sâu hơn. 1.

0 0 194

- vừa được xem lúc

[Java] 1 vài tip nhỏ khi sử dụng String hoặc Collection part 1

. Hello các bạn, hôm nay mình sẽ chia sẻ về mẹo check String null hay full space một cách tiện lợi. Mình sẽ sử dụng thư viện Lớp StringUtils download file jar để import vào thư viện tại (link).

0 0 71

- vừa được xem lúc

Deep Learning với Java - Tại sao không?

Muốn tìm hiểu về Machine Learning / Deep Learning nhưng với background là Java thì sẽ như thế nào và bắt đầu từ đâu? Để tìm được câu trả lời, hãy đọc bài viết này - có thể kỹ năng Java vốn có sẽ giúp bạn có những chuyến phiêu lưu thú vị. DJL là tên viết tắt của Deep Java Library - một thư viện mã ng

0 0 139