Summary
Malicious clients can construct OAuth2 credentials with permanent validity.
Affected component
OAuth2 filter
Details
Malicious client is able to construct credentials with permanent validity in some specific scenario. This is caused by some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check.
PoC
If the virtual host is configured with domains: ["*"], a user can put anything in the HOST header while logging in and going through the OAuth2 flow.
If the client sets the host header with a port like 13518, it is still able to go through the OAuth2 login flow. Even though the client will be redirected to e.g. example.com:13518/ at the very end of the flow, Envoy will still issue the cookies and a valid signature to the client based on the given host header like example.com:13518.
At this point, the correct signature is computed like this:
signature = hmac("example.com:13518" + "1668386659" + "ya29.a0AeTM1icl..." + ...)Now, the malicious client can change their HOST header override and remove numbers from the port section and instead add them at the start of the OauthExpires cookie.
When Envoy gets the request, it will compute a signature like:
signature = hmac("example.com:1" + "35181668386659" + "ya29.a0AeTM1icl..." + ...)This leads to an identical signature to the signature considered valid.
Once the HMAC validation passes, Envoy will read the OauthExpires value as 35181668386659 which instead of seconds since epoch is interpreted as milliseconds since epoch.
For this example, the expiration time as interpreted by Envoy, will be in the year 3084.
Using this methodology, the attacker is able to gain permanent access until the HMAC secret in Envoy is rotated.
Attack Vectors
Malicious clients construct bad credentials.
Impact
Negative impacts on the security and integrity of the service.
Mitigation
Avoid wildcards/prefix domain wildcards in host's domain configuration.
Credits
Erik Engberg ejohansson@spotify.com
Summary
Malicious clients can construct OAuth2 credentials with permanent validity.
Affected component
OAuth2 filter
Details
Malicious client is able to construct credentials with permanent validity in some specific scenario. This is caused by some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check.
PoC
If the virtual host is configured with domains:
["*"], a user can put anything in theHOSTheader while logging in and going through the OAuth2 flow.If the client sets the host header with a port like
13518, it is still able to go through the OAuth2 login flow. Even though the client will be redirected to e.g.example.com:13518/at the very end of the flow, Envoy will still issue the cookies and a valid signature to the client based on the given host header likeexample.com:13518.At this point, the correct signature is computed like this:
Now, the malicious client can change their
HOSTheader override and remove numbers from the port section and instead add them at the start of theOauthExpirescookie.When Envoy gets the request, it will compute a signature like:
This leads to an identical signature to the signature considered valid.
Once the HMAC validation passes, Envoy will read the
OauthExpiresvalue as35181668386659which instead of seconds since epoch is interpreted as milliseconds since epoch.For this example, the expiration time as interpreted by Envoy, will be in the year 3084.
Using this methodology, the attacker is able to gain permanent access until the HMAC secret in Envoy is rotated.
Attack Vectors
Malicious clients construct bad credentials.
Impact
Negative impacts on the security and integrity of the service.
Mitigation
Avoid wildcards/prefix domain wildcards in host's domain configuration.
Credits
Erik Engberg ejohansson@spotify.com