Alibaba Nacos Unauthorized Account Creation Scanner

Alibaba Nacos is an open-source software used primarily by developers and enterprises for managing microservices and enabling dynamic service discovery, configuration, and management within distributed systems. It is utilized in environments where robust infrastructure is needed for cloud-native applications, helping to maintain service availability and resilience. Nacos is employed by organizations seeking to optimize resource usage, enhance application performance, and streamline developmental workflows. The platform is popular among IT departments within corporate settings for automating configurations and service management. Its features support service registry, configuration management, and dynamic DNS services for efficient scalability. Nacos is increasingly adopted across industries, from tech startups to large enterprises, for its versatility.

The Unauthorized Account Creation vulnerability in Alibaba Nacos arises when the software's default configuration uses a fixed JWT token key known openly within the community. This vulnerability permits attackers to forge authentication tokens due to the predictability of the key, allowing unauthorized access to Nacos' management interface. Such unauthorized access could lead to significant disruptions as attackers could manipulate interface functions without legitimate credentials. This vulnerability underscores the risk involved in using default configurations, particularly in open-source projects where the codebase and configuration details are publicly accessible. Organizations relying on Nacos must be aware of this security loophole, which poses a substantial threat to system integrity. Nacos users are encouraged to implement enhanced security measures to prevent unauthorized manipulations.

Technically, the vulnerability is exploitable via Nacos' endpoint where user accounts are handled. Attackers can send specially crafted HTTP requests to the endpoint, utilizing the fixed JWT token key to perform actions such as creating or deleting a user. By forging user access tokens through the known key, attackers gain unauthorized privileges on the system. The endpoint parameters involved include the username and password fields within the HTTP POST request, and authentication access is determined by the improperly secured token field. These forged requests, if successful, demonstrate Nacos' susceptibility to this form of attack. The root of the vulnerability lies in the lack of token key randomness and the static nature of the default configuration.

When exploited, this vulnerability can allow attackers to take control over user accounts without permission, leading to unauthorized data manipulation, system misconfigurations, or even extended control over additional IT infrastructure services managed via Alibaba Nacos. The potential impact includes disruption of services, data leaks, or injection of malicious configurations that could compromise network security. These actions can result in significant operational downtime and financial repercussions for organizations utilizing Alibaba Nacos. Moreover, exploit attempts might go unnoticed, making post-exploit recovery challenging.

REFERENCES

• https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/nacos-token-create-user.yaml