[et_pb_section fb_built=”1″ _builder_version=”4.17.3″ _module_preset=”default” custom_padding=”0px||||false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/05\/actuator_example.png” alt=”Apereo CAS actuator” title_text=”actuator_example” _builder_version=”4.17.4″ _module_preset=”default” width=”50%” module_alignment=”center” height=”476px” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
During a mission, a DSecBypass pentester was confronted with the Java Apereo CAS software. It was possible to bypass software-managed SSO authentication by exploiting a Spring Boot Actuator configuration flaw.<\/p>\n
\nEnterprise SSO – CAS provides a friendly open source community that actively supports and contributes to the project. Although the project is rooted in higher education open source, it has grown to reach an international audience spanning Fortune 500 companies and small special-purpose facilities.(https:\/\/www.apereo.org\/projects\/cas<\/a>)<\/em>
<\/span><\/p>\n<\/blockquote>\nThe code can be found on the project’s GitHub: https:\/\/github.com\/apereo\/cas<\/a>.<\/p>\n
It is an effectively active project, strongly represented in higher education establishments in France and internationally.<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Spring Boot Actuator<\/h2>\n
Applications developed with the Java Spring MVC framework expose on their HTTP\/HTTPS services an endpoint<\/em> called actuator <\/em>(Spring Boot Actuator). As the Spring documentation<\/a> mentions, Actuator allows to monitor the health of the different services of the application and will expose all services by default. The developer has several possibilities to restrict access to these features:
<\/em><\/p>\n\n
- Include Spring Security in your project to secure Actuator endpoints with Basic HTTP authentication<\/li>\n
- Setting up Spring<\/a> so as to expose only a well-chosen list of functionalities<\/li>\n
- Block access to actuator features using front-end equipment (reverse proxy, application firewall)<\/li>\n<\/ul>\n
Attacks on Actuator<\/h2>\n
One of the fundamental principles of computer security is to limit the attack surface. In particular, for web applications in production, it is strongly recommended to disable or restrict access to unnecessary features for the end user.<\/p>\n
Actuator is one of those features that are not needed by the end user and should not be accessible. Indeed, some features are a direct threat to the security of the application:<\/p>\n
\n
- heapdump – dumps the contents of the process memory (heap)<\/li>\n
- env – displays the value of application variables<\/li>\n<\/ul>\n
The usual attack techniques are already covered in this article : https:\/\/www.veracode.com\/blog\/research\/exploiting-spring-boot-actuators<\/a>.<\/p>\n
\n
Exploiting a vulnerable Apereo CAS server<\/h2>\n
Apereo CAS is no exception and can also expose actuator endpoints by accessing the path “https:\/\/VULNERABLE_CAS\/cas\/actuator”. A description of the available endpoints can be found in the following file : https:\/\/github.com\/apereo\/cas\/blob\/master\/docs\/cas-server-documentation-processor\/src\/main\/resources\/actuators.properties<\/a><\/p>\n
Although not common, some misconfigured<\/strong> CAS expose the actuator with the env<\/em> or heapdump<\/em> endpoints.<\/p>\n
In the case of env,<\/em> simply reading the returned values will sometimes yield database accounts, internal IPs and URLs, and other potentially sensitive parameters.<\/p>\n
If heapdump<\/em> is accessible, then CAS credentials<\/strong> can be retrieved from process memory using the following Linux command:<\/p>\n
\ncurl -s https:\/\/VULNERABLE_CAS\/cas\/actuator\/heapdump | strings | grep -oE “username=(.*)&execution”<\/p>\n<\/blockquote>\n
Be careful to perform these actions on applications that belong to you or for which you have received authorization to operate an intrusion test.<\/p>\n
<\/p>\n
Securing Apereo CAS<\/h2>\n
Configuring Actuator endpoints is covered in the official documentation: https:\/\/apereo.github.io\/cas\/6.0.x\/monitoring\/Monitoring-Statistics.html<\/a>.<\/p>\n
It is mentionned that only info<\/em>, status<\/em>, health<\/em> and configurationMetadata <\/em>endpoints are exposed by default. You should therefore ensure that this is also the case in your application. In order to reduce the attack surface of Apereo CAS, it is also advisable not to expose the actuator URL (\/cas\/actuator\/*) on the Internet and to configure the authentication to access it with the following parameter:<\/p>\n
\ncas.monitor.endpoints.endpoint.status.access<\/span>=<\/span>AUTHENTICATED<\/span><\/code><\/pre>\n<\/blockquote>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
\ud83d\udee1\ufe0f DSecBypass supports you in securing you applications during website pentests<\/a> or external pentests<\/a>, with quality services and significant experience in this type of service. Do not hesitate to contact <\/a>us for additional information and\/or a personalized quote \ud83d\udcdd.<\/span><\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_button button_url=”https:\/\/www.dsecbypass.com\/en\/contact\/” button_text=”CONTACT US” button_alignment=”center” _builder_version=”4.17.4″ _module_preset=”default” custom_button=”on” button_text_size=”13px” button_bg_color=”#4328b7″ button_border_width=”10px” button_border_color=”#4328b7″ button_border_radius=”0px” button_letter_spacing=”2px” button_font=”Titillium Web|700||on|||||” background_layout=”dark” global_colors_info=”{}”][\/et_pb_button][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
During a mission, a DSecBypass pentester was confronted with the Java Apereo CAS software. It was possible to bypass software-managed SSO authentication by exploiting a Spring Boot Actuator configuration flaw.<\/p>\n","protected":false},"author":4,"featured_media":1661,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[34],"tags":[],"class_list":["post-1803","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en"],"_links":{"self":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/1803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/comments?post=1803"}],"version-history":[{"count":18,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/1803\/revisions"}],"predecessor-version":[{"id":2475,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/1803\/revisions\/2475"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/media\/1661"}],"wp:attachment":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/media?parent=1803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/categories?post=1803"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/tags?post=1803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}