FYHTECH

FUN WITH LINUX

FIWARE Keyrock: Manipulate passwords of any user

12 August 2024

Identifier: AIT-SA-20240514-01
Target: FIWARE Keyrock
Vendor: FIWARE
Version: all versions including 8.4
CVE: CVE-2024-42163
Accessibility: Remote
Severity: Medium (8.3)
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

Summary

Insufficiently random values for generating password reset token in all versions of FIWARE Keyrock including version 8.4 allow attackers to take over the account of any user by predicting the token for the password reset link

Proof of Concept

The algorithm that is used to create the password reset token, is predictable. An attacker could predict the “random” numbers and reset the password of any user:

Code with predictable Math.random()

An attacker could signup as a user and press the password reset button to receive 10-20 different passwort reset token. Using this token, the random generated values can be calculated using the following nodejs-code:



function parseFloatInBase(n, radix) {
    var nums = n.split(".")

    // get the part before the decimal point
    var iPart = parseInt(nums[0], radix)
    // get the part after the decimal point
    var fPart = parseInt(nums[1], radix) / Math.pow(radix, nums[1].length)

    return iPart + fPart
}

var some = Math.random();
var crypto = some.toString(36).substr(2);

console.log(some);
console.log(some.toString(36))
console.log(crypto);
var back = "0." + crypto;
console.log(back);
console.log(parseFloatInBase(back, 36));

This would be a sample output that illustrates that it is possible to revert toString(36).substr(2):

Output of the nodejs-code to get the random generated values

Having the original random numbers, the attacker might feed them (10-20 numbers) to the v8-randomness-predictor to calculate the next future random number. Using this number the attacker is able to reset the password of any user.

For futher information on how to predict the future of Math.random() please see the following youtube video: https://www.youtube.com/watch?v=-h_rj2-HP2E.

Vulnerable Versions

All versions including 8.4 are affected.

Tested Versions

FIWARE Keyrock 8.4

Impact

An attacker could register a new user and use the password reset token to predict the random number. Using the predicted number the attacker might be able to reset the password and take over the account of any user.

Mitigation

Currently (August 12th, 2024) there is no known mitigation.

Vendor Contact Timeline

2023-12-19 Initial contact with FIWARE
2024-03-01 Asked again about the status
2024-08-12 Public disclosure

Advisory URL

https://pentest.ait.ac.at/security-advisory/fiware-keyrock-manipulate-passwords-of-any-user/

[ Programming  Web  Security  CVE  ]
User image

My name is Wolfgang Hotwagner. I am a Linux and Information Security enthusiast from Vienna. This blog is about my journey through Computer Science.

Tag Cloud

CLI Firewall Virtualization Backup Anniversary Zsh Postgresql Ansible Hardware Web One-Liner Docker External HackADay ccc git Perl Crypto Toscom TerminalEmulator Network Database Email Linux LVM Software-Raid Programming Fun Certification Security Desktop vim Raspberry openssl Mathematics Shell Proxy Open-Source Multimedia Kernel Tricks CVE C Nagios Debian Downloads News Suricata apache Mail PHP Blog Sysadmin Ruby Btrfs xmas Puppet logrotate Bash

Recent Posts

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti