CVE-2019-16097 Harbor privilege elevation vulnerability analysis-vulnerability warning-the black bar safety net

The Harbor is one for the storage and distribution Docker image of the enterprise Registry server, by adding some of the business functions necessary characteristics, such as security, identification, and management, the expansion of the open-source Docker Distribution. As an enterprise-level private Registry server, the Harbor provides better performance and security. To enhance the user use the Registry to build and run the environment in the transmission of the mirror efficiency. Harbor support the installation of the more Registry nodes of the mirrored resource replication, mirroring all stored in the private Registry, to ensure that data and intellectual property on company internal network control. In addition, the Harbor also provides advanced security features, such as user management, access control and activity audit, etc.
Unit 42 security researcher Aviv Sasson in the Harbor discovered a serious vulnerability, an attacker exploit the vulnerability by sending a malicious request to control the Harbor of the registry. Unit 42 researchers found that there are over 1300 of a using a vulnerability in the default configuration of the Harbor, the Registry server may be accessed via the Internet.
Background
Researchers at the Harbor Project found a significant elevation of privilege vulnerability, an attacker exploit the vulnerability in the default configuration, to obtain admin privileges. The vulnerability to the 9 on 10, the publication, the CVE number for CVE-2019-16097。
Harbor project in the past 4 years of popularity and popularity is rising, and in the last 11 months become CNCF incubating project （CNCF Hatch Project. Harbor project sponsors, and using the enterprise include:
! [](/Article/UploadPic/2019-9/2019923163927504. png)
Figure 1. Harbor project sponsor and use the corporate
Vulnerability
The vulnerability is very serious, because in get admin permission, you can initialize many of the attack vectors. The attacker can download and view all of your private items, you can delete the registry on the mirror, can even replace the mirror to pollute the registry. An attacker can create a new user and set it as admin. After that, the attacker can through the Docker command line tool with the new credentials connecting the Harbor registry, and replace the current image. A malicious mirror can say malware, crypto-currency mining machine.
POC video below:
https://www.biantube.com/watch/LBgIKqdfF1k
Vulnerability analysis
The first analysis of the User structure:
! [](/Article/UploadPic/2019-9/2019923163927590. png)
Figure 2. Harbor source code in the User structure
Researchers concerned about the target parameter is HasAdminRole, the parameters of the purpose is to show whether the user is admin. If you can modify to True, the purpose of the attack is reached.
So how do you achieve it? The first analysis of the API calls, if someone tries to access/api/users, then you will find some interesting calls:
!
Figure 3. /api/users
If the user wants to send a POST request, you can reach the responsible for new user registration code.
! [](/Article/UploadPic/2019-9/2019923163928599. png)
Figure 4. POST request processing logic
The vulnerability is located in the user. go:317: the
if err := ua. DecodeJSONReq(&user); err != nil
In this line of code, we can from the POST request to get data, and then decoded into the user object.
Normal request payload as follows:
{“username":“test”,“email”:"[email protected]”,“realname”:“no name”,“password”:“Password1\u0021”,“comment”:null}
The problem is that an attacker can send a request and join parameters has_admin_role it. If you send“had_admin_role” = “True”in the request, it can be created for the admin user.
Exploit
The researchers wrote a simple python script that sends a POST request to/api/users to create permissions for the admin of a new user, you need in the request body in a parameter has_admin_role set to True. Run the script, the only need to do is in the browser open the Harbor, and with the New created user login.
Solutions
Harbor team released to solve this vulnerability patch, 9 on 18, released Harbor versions 1.7. 6 and 1. 8. 3 versions for security updates. The release notes said to be by prohibiting the registration when creating the admin user to solve the problem.
The developer added a check process to prevent a non-administrator user to create a new admin user. The vulnerability exists in 1. 70-1. 8. 2 version, so the researchers recommend that users update to the latest version.