Exploit for Missing Authentication for Critical Function in Alibaba Nacos CVE-2021-29442

Name: Exploit for Missing Authentication for Critical Function in Alibaba Nacos CVE-2021-29442
Rating: 5 (330 reviews)
2024-11-22 | CVSS 8.6
## https://sploitus.com/exploit?id=45BBBC2B-9CBB-526E-B3BD-FA329E23116B
## Introduction

The Nacos Derby command execution vulnerability is exploited using a script, typically by leveraging the User-Agent to bypass the default access control. Nacos is an open-source platform used for service registration, discovery, and configuration management. In its early versions (≤2.4.0-BETA), Nacos integrated Apache Derby as an embedded database by default. Since Derby databases do not have access control settings by default, attackers can access specific interfaces without authorization, executing arbitrary SQL statements, thereby leading to remote command execution vulnerabilities. **Vulnerability mechanism:**

1. **Unauthorized access:** In the default configuration, the Derby database interface of Nacos does not have access control settings, allowing anyone to access it. 2. **SQL injection:** Attackers send malicious SQL queries to Nacos’ Derby interface through specific HTTP requests. For example, accessing the following URL:

   ```
   http://:8848/nacos/v1/cs/ops/derby?sql=select * from users
   ```

   This will return all data from the user table. 3. **Remote command execution:** More seriously, attackers can use Derby’s features to execute arbitrary code via SQL statements. For example, using the `CALL` statement to load a malicious JAR file and execute its contents, thereby executing arbitrary commands on the victim’s server. **Remediation measures:**

- **Upgrade Nacos:** The official version has already fixed this vulnerability in the latest release. It is recommended to upgrade Nacos to the latest version. - **Disable Derby interfaces:** If you do not use the embedded database, it is recommended to disable Derby interfaces to prevent unauthorized access. - **Enable authentication:** Configure Nacos’ authentication mechanisms to ensure that only authorized users can access relevant interfaces. Exploiting this vulnerability can lead to data leaks, service interruptions, or even complete control of the server, resulting in significant harm. Therefore, affected users are strongly advised to take the above measures as soon as possible to protect themselves. ## POC/EXP – Usage
```
nacos_derby_rce.py [-h] -u URL [-a TOKEN]
```