search

ging / fiware-idm

OAuth 2.0-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.
https://keyrock-fiware.github.io
MIT License
36 stars 81 forks source link

vulnerabilities detected. #353

Open AliIbnIbrahim opened 6 months ago

AliIbnIbrahim commented 6 months ago

FIWARE's QA team has discovered some vulnerabilities :

  1. Command injection in application
    • In file “lib/app_certificates.js” there is a command execution that invokes “openssl”. By modifying the application name, it is possible to injection malicious commands in the "application.name" unvalidated user controlled variable
    • By adding an application as an authenticated user, it is possible to inject a command using a forged application name 1. add new app Application menu 2. Add injection string in the name field of Application Information form 3. use openid to execute vulnerable function.
    • As soon as the form sent to the server, the injected command is executed. To Confirm that the injected command is executed , a test command to create file the file system contain the created files by the malicious command.
  2. Command Injection in Organisation-name
    • in file "controllers/sam2/sam2.js" there is a command execution that invokes "openssl" By modifying the organisation name, it is possible to inject malicious commands. (This is very similar vulnerability than the previous with the Application_name)
      1. Manipulate passwords of any user: The algorithm that is used to create the password reset token, is predictable. An the "random" numbers and reset the password of any user. An attacker could signup as a user and press the password reset button to receive 10-20 different passwort reset token. Using this token, the random generated values can be calculated Having the original random numbers, the attacker could feed them(10-20) to the v8-randomness predictor(https://github.com/PwnFunction/v8-randomness-predictor) to calculate the next future random number. Using this number the attacker could reset ANY password. For futher information on how to predict the future of Math.random() please see the following youtube video: https://www.youtube.com/watch?v=-h_rj2-HP2E
  3. Activate any new user The algorithm that is used to create the activation token for user, is predictable. An attacker could predict multiple future “random” numbers and activate any new user. An authenticated non-admin user can create multiple password-reset-token and predict multiple future random keys and use them to activate new users. For further information see “Manipulate passwords of any user”
  4. Deactivate 2factor-auth of any user The algorithm that is used to create the disable_2fa_key, is predictable. An attacker could predict the “random” numbers and disable the two factor authentication of any user: It appears the endpoints to send the disable 2f and deactivate 2f functions are both unauthenticated. An authenticated non-admin user can create multiple password-reset-token and predict multiple future random keys and use them to disable the 2factor-auth of any user. For further information see “Manipulate passwords of any user”