来源

关联漏洞

Description

Proof of concept of CVE-2024-29868 affecting Apache StreamPipes from 0.69.0 through 0.93.0

介绍

# CVE-2024-29868: Use of Cryptographically Weak PRNG in Recovery Token Generation

![cover](cover.png)

This repository contains the proof of concept related to **CVE-2024-29868** that affects Apache StreamPipes from v0.69.0 through 0.93.0.
**Description**: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.
This POC demonstrate how it's possible to take over the admin account of the affected application.

### Repository Structure:

-   The `/lab-setup` directory contains the necessary files to spin up a local testing environment where it's possible to reproduce the vulnerabilility:
    -   `docker-compose.yml` file with all the necessary services.
    -   `.env` environment variables file.
-   The `/detection` directory contains 2 Project Discovery's Nuclei templates:
    -   `apache-streampipes-detect.yaml`: template to detect Apache StreamPipes installations.
    -   `CVE-2024-29868.yaml`: template to identify CVE-2024-29868 vulnerability.
-   The `/exploitation` directory contains the code to compile the cracker and instructions on how to use it.

Clone this repository and follow the `README.md` instructions in the respective directories.

### Resources & References:

-   [https://lists.apache.org/thread/zqn5z48gz7bp0q8ctk96ht8bc7vd3njv](https://lists.apache.org/thread/zqn5z48gz7bp0q8ctk96ht8bc7vd3njv)

-   [https://www.cve.org/CVERecord?id=CVE-2024-29868](https://www.cve.org/CVERecord?id=CVE-2024-29868)
  
-   [https://labs.yarix.com/2024/06/cve-2024-29868/](https://labs.yarix.com/2024/06/cve-2024-29868/)

-   [https://github.com/alex91ar/randomstringutils/tree/master](https://github.com/alex91ar/randomstringutils/tree/master)

-   [https://github.com/jhipster/generator-jhipster/issues/10401](https://github.com/jhipster/generator-jhipster/issues/10401)

-   [https://cwe.mitre.org/data/definitions/338.html](https://cwe.mitre.org/data/definitions/338.html)

-   [https://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/RandomStringUtils.html](https://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/RandomStringUtils.html)

-   [https://docs.oracle.com/javase/8/docs/api/java/util/Random.html](https://docs.oracle.com/javase/8/docs/api/java/util/Random.html)

文件快照

 [4.0K]  /data/pocs/08f8821817dd6189ee4278cdd7b7b40179b81b02
├── [1.4M]  cover.png
├── [4.0K]  detection
│   ├── [1.1K]  apache-streampipes-detect.yaml
│   ├── [2.0K]  CVE-2024-29868.yaml
│   ├── [4.0K]  img
│   │   └── [ 63K]  01-Template_output.png
│   └── [ 950]  README.md
├── [4.0K]  exploitation
│   ├── [9.7K]  crack.c
│   ├── [4.0K]  img
│   │   ├── [ 68K]  01-Necessary_configuration.png
│   │   ├── [ 42K]  02-Create_new_account.png
│   │   ├── [ 45K]  03-Register_new_user.png
│   │   ├── [ 40K]  04-Use_the_forgot_password_functionality.png
│   │   ├── [ 51K]  05-Require_reset_token_for_attacker_account.png
│   │   ├── [ 60K]  06-Attacker_requested_password_reset_token.png
│   │   ├── [ 90K]  07-Compile_the_cracker.png
│   │   ├── [116K]  08-Cracked_token.png
│   │   ├── [ 52K]  09-Ask_password_reset_token_for_admin_account.png
│   │   ├── [ 59K]  10-Token_received_by_the_admin_e-mail_account.png
│   │   ├── [160K]  11-Token_predicted.png
│   │   ├── [ 44K]  12-Using_the_recovered_token_the_attacker_can_set_a_new_password_for_the_admin_account.png
│   │   └── [ 52K]  Streampipes_attack_infographic.png
│   └── [2.9K]  README.md
├── [4.0K]  lab-setup
│   ├── [3.8K]  docker-compose.yml
│   ├── [4.0K]  img
│   │   ├── [ 82K]  01-Select_configuration_option.png
│   │   ├── [ 76K]  02-Select_the_mail_option.png
│   │   ├── [ 54K]  03-Mailserver_configuration.png
│   │   └── [ 59K]  04-General_configuration.png
│   └── [1.4K]  README.md
└── [2.4K]  README.md

6 directories, 27 files

备注