Closed Bug 1253795 Opened 10 years ago Closed 10 years ago

Authentication bypass vulnerability in mod_authnz_persona

Categories

(Cloud Services :: Server: Identity, defect)

Product:
Cloud Services
Component:
Server: Identity
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rfkelly, Assigned: rfkelly)

References

Details

(Keywords: sec-critical, wsec-authentication)

Attachments

(1 file, 1 obsolete file)

proof-of-concept script to get unauthorized access to kibana
3.71 KB, text/x-python-script
Details
I was able to gain unauthorized access to the production Cloud Services kibana dashboards at [1] by passing a carefully crafted BrowserID assertion to mod_authnz_persona. A proof-of-concept exploit script it attached. The technique builds on the permissive data-validation rules of the persona verifier identified in Bug 1253495, using them to pass strings with embedded NULL bytes into the C code for mod_authnz_persona. If I send a BrowserID assertion for an email like the following: "rfkelly@mozilla.com\x00\n@mocker.dev.lcip.org" Then the hosted persona verifier will verify it and return the full email as above. But mod_authnz_persona will truncate this value at the NULL byte and record the email address as "rfkelly@mozilla.com", a user which is allowed access to the site. AFAICT, any site protected by the "Require valid-user" or "Require user" directives of mod_authnz_persona would be similarly vulnerable. I was not able to extend the technique to bypass the "Require persona-idp" directive, which checks against the returned issuer rather than the email address (and which I believe we use in several places to restrict access to @mozilla.com users). The most immediate fix will be to ship some variant of the tightened data validation proposed in Bug 1253495, so that the verifier will reject such assertions before any relier code ever sees them. I'm not sure if we should take any further steps in the mod_authnz_persona source code itself. Either way, I feel like this one deserves a proper security disclosure and public statement etc once the fix is rolled out. [1] https://kibana.fxa.us-west-2.prod.mozaws.net
(updating test script because the previous version was using a locally-running verifier instance rather than the one on login.persona.org)
Attachment #8727026 - Attachment is obsolete: true
CC-ing security council for information. Ryan has a patch being deployed in staging right now. Production will follow, hopefully tonight.
Assignee: nobody → rfkelly
Status: NEW → ASSIGNED
Keywords: sec-critical, wsec-authentication
The patch has been deployed to production, but is not yet public, due to concerns that other vulnerabilities of the same type may be present in Persona or FxA. Work continues in bug 1253495.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Group: cloud-services-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: