NATS Server - Enumeration

漏洞信息

漏洞名称： NATS Server - Enumeration

漏洞类型： 信息泄露

漏洞等级： 中危

漏洞描述： NATS Server是一个高性能的消息系统，设计用于云原生应用、分布式系统和微服务架构中，提供轻量级的发布-订阅和队列消息传递功能。它广泛应用于企业级服务中，特别是在需要高吞吐量和低延迟消息传递的场景中。该漏洞属于信息泄露类型，由于NATS Server的配置信息未得到适当保护，攻击者可以通过发送特定请求获取服务器的详细配置信息，包括服务器ID、版本、集群信息、认证设置等。这种信息泄露可能为攻击者提供进一步攻击的线索，如利用已知漏洞进行攻击或绕过认证机制。虽然该漏洞本身不直接导致远程代码执行或服务中断，但暴露的敏感信息可能被用于策划更复杂的攻击。此漏洞的利用不需要认证，且可以自动化执行，增加了被恶意利用的风险。

产品厂商： nats-io

产品名称： NATS Server

搜索语法： product:”NATS Server”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/daaadb83bc8fec0050f505f9e5cdbc3147aa0035/network%2Fenumeration%2Fnats-server-enum.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: nats-server-enum

info:
  name: NATS Server - Enumeration
  author: pussycat0x
  severity: info
  description: |
    Detects and extracts detailed information from NATS (Neural Autonomic Transport System) servers.
    This template connects to NATS servers and retrieves server configuration details including
    server ID, version, cluster information, authentication settings, and other server properties.
    Useful for network enumeration and security assessment of NATS messaging infrastructure.
  impact: |
    Exposure of NATS server information can reveal system configuration, version details, and authentication requirements that may aid in further reconnaissance or exploitation.
  remediation: |
    Ensure NATS servers are properly configured with authentication, access controls, and are not exposed to untrusted networks unless necessary.
  reference:
    - https://docs.nats.io/
    - https://github.com/nats-io/nats-server
  metadata:
    verified: true
    shodan-query: product:"NATS Server"
    max-request: 1
  tags: js,network,nats,tcp,enum

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      let packet = bytes.NewBuffer();
      let prob = "\n"
      data = packet.Write(prob)
      const c = require("nuclei/net");
      let conn = c.Open('tcp', `${Host}:${Port}`);
      conn.Send(data);
      let resp = conn.RecvFullString();

      // Extract JSON from the response (between INFO and the error message)
      let jsonStart = resp.indexOf('{');
      let jsonEnd = resp.lastIndexOf('}') + 1;
      let jsonStr = resp.substring(jsonStart, jsonEnd);

      try {
        let natsInfo = JSON.parse(jsonStr);
        let formatted = `NATS Server: Server ID: ${natsInfo.server_id} Server Name: ${natsInfo.server_name} Version: ${natsInfo.version} Proto: ${natsInfo.proto} Git Commit: ${natsInfo.git_commit} Go: ${natsInfo.go} Host: ${natsInfo.host} Port: ${natsInfo.port} Headers: ${natsInfo.headers} Auth Required: ${natsInfo.auth_required} Max Payload: ${natsInfo.max_payload} Jetstream: ${natsInfo.jetstream} Client ID: ${natsInfo.client_id} Client IP: ${natsInfo.ip} Cluster: ${natsInfo.cluster} Domain: ${natsInfo.domain}`;

        if (natsInfo.compression) {
          formatted += ` Compression: ${natsInfo.compression}`;
        }
        if (natsInfo.info_on_connect) {
          formatted += ` Info On Connect: ${natsInfo.info_on_connect}`;
        }
        if (natsInfo.leafnode_urls && natsInfo.leafnode_urls.length > 0) {
          formatted += ` Leafnode URLs: ${natsInfo.leafnode_urls.join(', ')}`;
        }

        formatted;
      } catch (e) {
        resp; // Return original response if JSON parsing fails
      }

    args:
      Host: "{{Host}}"
      Port: 4222

    extractors:
      - type: dsl
        dsl:
          - response