new post module: rancher audit logs sensitive information leak (CVE-2023-22649) #18962
Conversation
| } | ||
| ) | ||
| ) | ||
| register_advanced_options [ |
There was a problem hiding this comment.
| register_advanced_options [ | |
| # docker install, and default path according to https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#api-audit-log-options | |
| register_options [ |
I know this is unlikely to be changed, but in the event it needs to be changed, users should see it. I'd also be fine if this got left as an advanced option and the warning message contained a reference to changing the advanced option.
| usernames_found += usernames | ||
| end | ||
|
|
||
| usernames_found.uniq.each do |username| |
There was a problem hiding this comment.
Any reason not to store these directly?
There was a problem hiding this comment.
store them as in creds? if so, because it's only a username and from my memory we don't store just usernames
There was a problem hiding this comment.
I made a couple of minor changes in f579ec7 to fix the table printing and document the version I used for testing. Once those changes pass the auto-tests, I'll get this landed. Thanks!
Testing Output (rancher v2.8.1):
metasploit-framework (S:2 J:1) post(linux/gather/rancher_audit_log_leak) > rerun
[*] Reloading module...
[+] Rancher log saved to: /home/smcintyre/.msf4/loot/20240410112703_default_192.168.159.13_rancher.api.log_376359.txt
[+] Found X-Api-Auth-Header Bearer TOTESLEGITLOLZ
[+] Found X-Api-Set-Cookie-Header: __cf_bm=qJZbh1XgMjrlnXDN97fsTR_Uj85He5TfPGtGug7xS5I-1712762186-1.0.1.1-wVGWMfCxXh8TpMzB4HCyiZ2YLwBclH3JggRCz_cOXoP4h_LKcIjXoTA_fjNjyg6DRd421yKhE.t222optKu5ZG2zZm.7oFnLDe8hw.jWNsc; path=/; expires=Wed, 10-Apr-24 15:46:26 GMT; domain=.digitalocean.com; HttpOnly; Secure; SameSite=None
[+] Found X-Api-Auth-Header token-876ss:v9q46nxt4grflb9mqn5s2d54bzscjstp48zzrpt6trdjkz52tns98q
[+] Found X-Amz-Security-Token FINDME
Leaked Information
==================
Field Value Location
----- ----- --------
Username admin Requests
X-Amz-Security-Token FINDME requestHeader
X-Api-Auth-Header Bearer TOTESLEGITLOLZ requestHeader
X-Api-Auth-Header token-876ss:v9q46nxt4grflb9mqn5s2d54bzscjstp48zzrpt6trdjkz52tns98q requestHeader
X-Api-Set-Cookie-Header __cf_bm=qJZbh1XgMjrlnXDN97fsTR_Uj85He5TfPGtGug7xS5I-1712762186-1.0.1.1-wVGWMfCxXh8TpMzB4HCyiZ2YLwBclH3JggRCz_cOXoP4h_LKcIjXoTA_fjNjyg6DRd421yK responseHeader
hE.t222optKu5ZG2zZm.7oFnLDe8hw.jWNsc; path=/; expires=Wed, 10-Apr-24 15:46:26 GMT; domain=.digitalocean.com; HttpOnly; Secure; SameSite=None
[*] Post module execution completed
metasploit-framework (S:2 J:1) post(linux/gather/rancher_audit_log_leak) >
| ### Install | ||
|
|
||
| Run the following docker command: | ||
| `docker run -d --restart=unless-stopped -p 80:80 -p 443:443 -e AUDIT_LEVEL=3 -v /var/log/rancher/auditlog:/var/log/auditlog --privileged rancher/rancher:v2.6.0` |
There was a problem hiding this comment.
I had trouble getting this to work and ended up changing the version number to 2.8.1. It was definitely an issue with the docker image though and not the module.
smcintyre-r7
added
the
rn-modules
Release NotesThis adds a post module to leverage CVE-2023-22649 which is a sensitive information leak in the rancher service's audit logs. |
Rancher versions between 2.6.0-2.6.13, 2.7.0-2.7.9, 2.8.0-2.8.1 inclusive
contain a vulnerability where sensitive data is leaked into the audit logs.
Rancher Audit Logging is an opt-in feature, only deployments that have it
enabled and have AUDIT_LEVEL set to 1 or above are impacted by this issue.
Tested against rancher 2.6.0.
Verification
List the steps needed to make sure this thing works
use post/linux/gather/rancher_audit_log_leakset session [#]run