支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 49b23e70689c425aa03c8ad29b4ab795a9f73c00

来源
https://github.com/7Ragnarok7/CVE-2021-3754
关联漏洞
标题:Red Hat Keycloak 安全漏洞 (CVE-2021-3754)
Description:Red Hat Keycloak是美国红帽(Red Hat)公司的一套为现代应用和服务提供身份验证和管理功能的软件。 Red Hat Keycloak 存在安全漏洞,该漏洞源于攻击者可以用与任何现有用户的电子邮件ID相同的用户名注册。
Description
Vulnerability details and exploit for CVE-2021-3754
介绍
# CVE-2021-3754
This repository documents Vulnerability details and exploit for CVE-2021-3754 discovered and reported by myself on 21st August 2021

## Metrics
- [CWE-20: Improper Input Validation](https://cwe.mitre.org/data/definitions/20.html)
- [CVSS: 5.3 (MEDIUM)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2021-3754&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1&source=NIST)

## Description
A flaw was found in Apache Keycloak & Redhat SSO where an attacker is able to register himself with the username same as the email ID of any existing user.  
This is caused by usernames being evaluated before emails.
Keycloak allows the use of email as a username and doesn't check that an account with this email already exists.  

![login](img-src/login.png)

## Impact
The above behavior will cause trouble getting a password recovery email if the user forgets the password, thereby locking users out of their accounts temporarily.  

![forgot password](img-src/forgot_password.png)

## Mitigation (as suggested by Redhat)
The workaround is to enable the "Email as username" flag or disable "Login with email" in the login settings.
The official advisory by the Open Link plugin maintainer can be found at https://access.redhat.com/security/cve/cve-2021-3754.

![settings](img-src/settings.png)

## Proof of Concept/Exploit
Following is a proof of concept video that I initially reported to Redhat, which demonstrates the complete vulnerability along with exploitation steps [CLICK THE THUMBNAIL]:    

[![CVE-2021-3754 EXPLOIT / POC](img-src/1694080699.png)](https://youtu.be/5L27TiHcMPU)[<-- Click here]

## Notes
- Please note that the suggested by Redhat is temporary and the root issue of improper input validation has not been fixed by Redhat/Keycloak.
- Note that the mitigation suggested above by Redhat for keycloak has not been tested and verified by myself.
- Note that if you are using keycloak/Redhat SSO in any of your products/applications, you are still vulnerable. I have verified that Redhat SSO is still vulnerable to this issue till this date.
- If you are using keycloak and you have not configured the login screen settings properly, you might still be vulnerable.

## Important Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-3754
- https://www.cvedetails.com/cve/CVE-2021-3754/
- https://bugzilla.redhat.com/show_bug.cgi?id=1999196
- https://access.redhat.com/security/cve/CVE-2021-3754
- https://github.com/advisories/GHSA-j9xq-j329-2xvg
- https://vulners.com/cve/CVE-2021-3754
- https://www.tenable.com/cve/CVE-2021-3754
文件快照

 [4.0K]  /data/pocs/49b23e70689c425aa03c8ad29b4ab795a9f73c00
├── [4.0K]  img-src
│   ├── [ 17K]  1694080699.png
│   ├── [179K]  forgot_password.png
│   ├── [193K]  login.png
│   └── [240K]  settings.png
├── [1.0K]  LICENSE
└── [2.5K]  README.md

1 directory, 6 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。