Nuclei flaw lets malicious templates bypass signature verification

Teilen:

A now-fixed vulnerability in the open-source vulnerability scanner Nuclei could potentially allow attackers to bypass signature verification while sneaking malicious code into templates that execute on local systems.

Nuclei is a popular open-source vulnerability scanner created by ProjectDiscovery that scans websites for vulnerabilities and other weaknesses.

The project utilizes a template-based scanning system of over 10,000 YAML templates that scan websites for known vulnerabilities, misconfigurations, exposed configuration files, webshells, and backdoors.

The YAML templates also include a code protocol that can be used to execute commands or scripts locally on a device that extends the functionality of a template.

Each template is “signed” with a digest hash that Nuclei uses to verify that the template has not been modified to include malicious code.

This digest hash is added to the bottom of templates in the form of:

# digest: <hash>

Flaw bypasses Nuclei signature verification

A new Nuclei vulnerability tracked as CVE-2024-43405 was discovered by researchers at Wiz that bypasses Nuclei’s signature verification even if a template is modified to include malicious code.

The flaw is caused by a Go regex-based signature verification and how the YAML parser handles line breaks when verifying the signature.

When verifying a signature, Go’s verification logic treats \r as part of the same line. However, the YAML parser interprets it as a line break. This mismatch allows attackers to inject malicious content that bypasses verification but is still executed when processed by the YAML parser.

Another issue is how Nuclei handles multiple # digest: signature lines, as the process only checks the first occurrence of # digest: in a template, ignoring any additional ones found later in the template.

This can be exploited by adding additional malicious “# digest:” payloads after the initial valid digest that contain a malicious “code” section, which is then injected and executed when the template is used.

“Armed with the insights about mismatched newline interpretations, we crafted a template that exploits the disparity between Go’s regex implementation and the YAML parser,” explains Wiz researcher Guy Goldenberg.

“By using \r as a line break, we can include a second # digest: line in the template that evades the signature verification process but gets parsed and executed by the YAML interpreter.”

Example of how the different parsers parse a Nuclei template
Example of how the different parsers parse a Nuclei template
Source: Wiz

Wiz responsibly disclosed the flaw to ProjectDiscovery on August 14, 2024, and it was fixed in Nuclei v3.3.2 on September 4.

If you are using older versions of Nuclei, it is strongly advised that you update the latest version now that the technical details for this bug have been publicly disclosed.

Goldenberg also recommends that Nuclei be used in a virtual machine or isolated environment to prevent potential exploitation from malicious templates.

Quelle

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
7:08 pm, Feb. 15, 2025
Wetter-Symbol 3°C
L: 3° | H: 5°
light rain
Luftfeuchtigkeit: 87 %
Druck: 1019 mb
Wind: 8 mph ESE
Windböe: 0 mph
UV-Index: 0
Niederschlag: 1 mm
Wolken: 75%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 7:14 am
Sonnenuntergang: 5:15 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 9:00 pm
Wetter-Symbol
3° | 5°°C 1 mm 100% 7 mph 89 % 1019 mb 0 mm/h
Tomorrow 9:00 pm
Wetter-Symbol
2° | 4°°C 1 mm 100% 10 mph 91 % 1022 mb 0.24 mm/h
Mo. Feb. 17 9:00 pm
Wetter-Symbol
1° | 7°°C 0 mm 0% 7 mph 78 % 1022 mb 0 mm/h
Di. Feb. 18 9:00 pm
Wetter-Symbol
1° | 8°°C 0 mm 0% 8 mph 70 % 1022 mb 0 mm/h
Mi. Feb. 19 9:00 pm
Wetter-Symbol
4° | 10°°C 0 mm 0% 7 mph 94 % 1020 mb 0 mm/h
Today 9:00 pm
Wetter-Symbol
2° | 3°°C 1 mm 100% 7 mph 89 % 1019 mb 0 mm/h
Tomorrow 12:00 am
Wetter-Symbol
2° | 2°°C 1 mm 100% 7 mph 91 % 1020 mb 0.24 mm/h
Tomorrow 3:00 am
Wetter-Symbol
2° | 2°°C 0 mm 0% 6 mph 90 % 1019 mb 0 mm/h
Tomorrow 6:00 am
Wetter-Symbol
2° | 2°°C 0 mm 0% 6 mph 88 % 1020 mb 0 mm/h
Tomorrow 9:00 am
Wetter-Symbol
3° | 3°°C 0 mm 0% 8 mph 80 % 1020 mb 0 mm/h
Tomorrow 12:00 pm
Wetter-Symbol
4° | 4°°C 0 mm 0% 10 mph 69 % 1021 mb 0 mm/h
Tomorrow 3:00 pm
Wetter-Symbol
4° | 4°°C 0 mm 0% 9 mph 64 % 1021 mb 0 mm/h
Tomorrow 6:00 pm
Wetter-Symbol
3° | 3°°C 0 mm 0% 8 mph 69 % 1021 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€92,990.30
-0.86%
Ethereum(ETH)
€2,576.10
-2.13%
XRP(XRP)
€2.65
-0.08%
Fesseln(USDT)
€0.95
-0.02%
Solana(SOL)
€185.67
-4.24%
USDC(USDC)
€0.95
0.01%
Dogecoin(DOGE)
€0.261826
-1.58%
Shiba Inu(SHIB)
€0.000015
-3.55%
Pepe(PEPE)
€0.000010
-5.73%
Nach oben scrollen