Proof of concept of CVE-2024-29868 affecting Apache StreamPipes from 0.69.0 through 0.93.0# CVE-2024-29868: Use of Cryptographically Weak PRNG in Recovery Token Generation
This repository contains the proof of concept related to **CVE-2024-29868** that affects Apache StreamPipes from v0.69.0 through 0.93.0.
**Description**: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.
This POC demonstrate how it's possible to take over the admin account of the affected application.
### Repository Structure:
- The `/lab-setup` directory contains the necessary files to spin up a local testing environment where it's possible to reproduce the vulnerabilility:
- `docker-compose.yml` file with all the necessary services.
- `.env` environment variables file.
- The `/detection` directory contains 2 Project Discovery's Nuclei templates:
- `apache-streampipes-detect.yaml`: template to detect Apache StreamPipes installations.
- `CVE-2024-29868.yaml`: template to identify CVE-2024-29868 vulnerability.
- The `/exploitation` directory contains the code to compile the cracker and instructions on how to use it.
Clone this repository and follow the `README.md` instructions in the respective directories.
### Resources & References:
- [https://lists.apache.org/thread/zqn5z48gz7bp0q8ctk96ht8bc7vd3njv](https://lists.apache.org/thread/zqn5z48gz7bp0q8ctk96ht8bc7vd3njv)
- [https://www.cve.org/CVERecord?id=CVE-2024-29868](https://www.cve.org/CVERecord?id=CVE-2024-29868)
- [https://labs.yarix.com/2024/06/cve-2024-29868/](https://labs.yarix.com/2024/06/cve-2024-29868/)
- [https://github.com/alex91ar/randomstringutils/tree/master](https://github.com/alex91ar/randomstringutils/tree/master)
- [https://github.com/jhipster/generator-jhipster/issues/10401](https://github.com/jhipster/generator-jhipster/issues/10401)
- [https://cwe.mitre.org/data/definitions/338.html](https://cwe.mitre.org/data/definitions/338.html)
- [https://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/RandomStringUtils.html](https://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/RandomStringUtils.html)
- [https://docs.oracle.com/javase/8/docs/api/java/util/Random.html](https://docs.oracle.com/javase/8/docs/api/java/util/Random.html)
[4.0K] /data/pocs/08f8821817dd6189ee4278cdd7b7b40179b81b02
├── [1.4M] cover.png
├── [4.0K] detection
│ ├── [1.1K] apache-streampipes-detect.yaml
│ ├── [2.0K] CVE-2024-29868.yaml
│ ├── [4.0K] img
│ │ └── [ 63K] 01-Template_output.png
│ └── [ 950] README.md
├── [4.0K] exploitation
│ ├── [9.7K] crack.c
│ ├── [4.0K] img
│ │ ├── [ 68K] 01-Necessary_configuration.png
│ │ ├── [ 42K] 02-Create_new_account.png
│ │ ├── [ 45K] 03-Register_new_user.png
│ │ ├── [ 40K] 04-Use_the_forgot_password_functionality.png
│ │ ├── [ 51K] 05-Require_reset_token_for_attacker_account.png
│ │ ├── [ 60K] 06-Attacker_requested_password_reset_token.png
│ │ ├── [ 90K] 07-Compile_the_cracker.png
│ │ ├── [116K] 08-Cracked_token.png
│ │ ├── [ 52K] 09-Ask_password_reset_token_for_admin_account.png
│ │ ├── [ 59K] 10-Token_received_by_the_admin_e-mail_account.png
│ │ ├── [160K] 11-Token_predicted.png
│ │ ├── [ 44K] 12-Using_the_recovered_token_the_attacker_can_set_a_new_password_for_the_admin_account.png
│ │ └── [ 52K] Streampipes_attack_infographic.png
│ └── [2.9K] README.md
├── [4.0K] lab-setup
│ ├── [3.8K] docker-compose.yml
│ ├── [4.0K] img
│ │ ├── [ 82K] 01-Select_configuration_option.png
│ │ ├── [ 76K] 02-Select_the_mail_option.png
│ │ ├── [ 54K] 03-Mailserver_configuration.png
│ │ └── [ 59K] 04-General_configuration.png
│ └── [1.4K] README.md
└── [2.4K] README.md
6 directories, 27 files