How to protect Django Vulnerabilities using KubeArmor in VM Workload?

Django is a framework flexible for developing web applications. There are some vulnerabilities that can be solved using KubeArmor.

Django is a framework flexible for developing web applications. There are some vulnerabilities that can be solved using KubeArmor. We will see what those vulnerabilities are and deploy the application in our Virtual Machine and protect it using KubeArmor.

What’s the CVE about?

The cve that commonly affects the Django framework are account hijack, directory traversal, misuse of inbuilt functions, etc. We will see an issue known as the Potential account hijack via password reset form in Django. We can change the password of an existing user to an arbitrary value. A suitably crafted email address that is equal to an existing user's email address after case transformation of Unicode characters would allow an attacker to send a password reset token for the matched user account. The following versions are affected in Django3.0, 2.2, 1.11.

Application Deployment

First, we will be deploying the Django vulnerable application. Just follow the steps given below.

To install KubeArmor in VM please follow the steps given here

[ I have used Debian 11 to install KubeArmor]

  1. Clone this repo

git clone https://github.com/tamilmaran-7/django_cve_2019_19844_poc.git

2. Follow the instructions in GitHub and install the necessary prerequisites to run the application.

3. Before running the application let us apply a sample policy.

# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit:
# https://www.accuknox.com/kubearmor/
 
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: hsp-django-cve-2019_19844
spec:
  tags: ["Django", "CVE", "VM", "2019_19844", "Password-Reset"]
  message: "Alert Password Reset Function is used"
  file:
    severity: 2
    matchPaths:
      - path: /django_cve_2019_19844_poc/accounts/urls.py
      - path: /django_cve_2019_19844_poc/accounts/views.py
    matchDirectories:
      - dir: /django_cve_2019_19844_poc/accounts/
      - dir: /django_cve_2019_19844_poc/django_cve_2019_19844_poc/
    action: Audit

4. We will save the sample policy as djano-cve-2019-19844.yaml. To apply a policy just copy and paste the following command in your terminal.

karmor vm policy add django-cve-2019-19844.yaml

5. Once the policy is applied let us run the application.

[email protected]:~$:~/django_cve_2019_19844_poc$ ./manage.py runserver
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
December 28, 2021 - 11:09:22
Django version 4.0, using settings 'django_cve_2019_19844_poc.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

6. Now Open this link http://127.0.0.1:8000/accounts/password-reset/  You will see a password reset text box. Input email as [email protected] [attacker email] and click send button. Now password reset done message will be shown in your browser. You can see below.

7. Check your terminal and we can able to reset the password and log in as a mike123 user. [ An email will be sent to mı[email protected] (Email address of attacker)], and you must have been able to change the mike123 user’s password without permission.

[28/Dec/2021 16:45:19] "GET /favicon.ico HTTP/1.1" 404 2100
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit [email protected]
Subject: Password Reset
From: [email protected]
To: [email protected]
Open this url with browser
Đate: Tue, 28 Đec 2021 17:08:15 -0000
Message-IÐ: <[email protected]om>
Password Reset URL: http://12

So here you can see above we get the password reset URL link.

8. KubeArmor will be able to audit the functions the application uses and provide us with logs. Let’s see how we can access logs. Just copy paste the following command in your terminal.

karmor log --json
[email protected]:~$ karmor log --json
gRPC server: localhost:32767
Created a gRPC client (localhost:32767)
Checked the liveness of the gRPC server
Started to watch alerts
{
  "Timestamp": 1640694561,
  "UpdatedTime": "2021-12-28T12:29:21.299697Z",
  "ClusterName": "Default",
  "HostName": "instance-2",
  "HostPID": 58039,
  "PPID": 58038,
  "PID": 58039,
  "UID": 1000,
  "PolicyName": "hsp-django-cve-2019_19844",
  "Severity": "0",
  "Type": "MatchedHostPolicy",
  "Source": "python",
  "Operation": "File",
  "Resource": "/home/tamilmaran375/django_cve_2019_19844_poc/accounts/templates/mails/password_reset",
  "Data": "syscall=SYS_OPENAT fd=-100 flags=/home/tamilmaran375/django_cve_2019_19844_poc/accounts/templates/mails/password_reset",
  "Result": "Passed"
}  

Conclusion

In this post, we have seen how the password reset function in the Django framework can be misused by unauthorized users and how we can able to reset the password of that particular user.

Constant monitoring of your applications is the best way to check if your application has any malicious access and inbuilt functions are working as expected.

KubeArmor is an open-source software that enables you to protect your workloads at run time. To know more check out the links given below.

KubeArmor Website: https://kubearmor.com/

KubeArmor GitHub: https://github.com/kubearmor/KubeArmor


Subscribe to Accuknox Docs

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe