Keystone getting oauth access token by brute-forcing oauth_verifier code
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Matthieu Huin | ||
Bug Description
Title: Keystone getting oauth access token by brute-forcing
oauth_verifier code
Reporter: Phuong Cao
Products: openstack/keystone
Affects: keystone/master branch as of Oct 7th 2013
Description:
Phuong Cao reported a vulnerability in OAuth SQL backend of
keystone/master branch.
How does the attack work?
By creating many access token requests with oauth_verifier code selected
from the range 1000 to 9999,
an attacker can request a valid access token to a role and a project,
overriding a user who actually request access to the role and the project.
Before describing in detail how the attack works, this is how OAuth
works (summarized from RFC5849)
1. Alice registers as a consumer with the Openstack admin.
2. Alice asks the Openstack admin a token with a specified role and a
project on behalf of Bob (Bob is the owner of the project).
3. The Openstack admin returns to Alice a request token key.
4. Alice sends the request token key to Bob to ask for permissions to
access the project.
5. Bob authorizes Alice's request token to have access to the project
with the specified role.
6. Bob generates an oauth_verifier code ranging from 1000 to 9999, then
sends back to Alice an oauth_verifier code.
7. Alice use the oauth_verifier code and the request token key to ask
the Openstack admin for the access token to the project.
This is how the attack works:
At step 4, assuming an attacker can sniff Alice's request token key.
This can be done by acting as a man in the middle if Alice interacts
with Keystone using HTTP requests,
or acting as a local user to list the process arguments if Alice is
interacts with Keystone using openstack commandline tools (this case is
similar to CVE 2013-2013).
Now the attacker has Alice's request token key, he/she need to wait for
Bob to authorizes Alice's request token (step 5), then repeatedly
brute-forcing Keystone with the pair(oauth_
token key) using oauth_verifier from the range 1000 to 9999. Since the
oauth_verifier is in a short range, and Openstack/Keystone doesn't have
any mechanism to limit number of requests, the attacker can bruteforce
for the valid oauth_verifier key until the request token expires.
A more aggressive way is to keep brute-forcing Keystone until Bob
authorizes Alice's request token, by doing this the attacker will have
more chance getting the access token key before Alice.
Where are the vulnerable code locations?
Line 210 of sql.py file:
https:/
In OAuth SQL backend of keystone/master branch, the oauth_verifier code,
a fundamental part of OAuth1 protocol, is generated using random numbers
from 1000 to 9999.
This is a small range of numbers and it is easy to be guessed/
This attack is classified as "CWE-330: Use of Insufficiently Random
Values" (http://
What are the possible fixes?
We suggest using a long random string (e.g., 32-bit or 64-bit). Using
os.urandom() is a good one, it has been recommended for generating
random number for cryptographic purposes.
A patch is attached in the attached file (please note: we haven't tested
this patch).
Where is the exploit code?
We attach a snippet code that we modify from test_bad_verifier()
Keystone test case.
The snippet is a sketch of how oauth_verifier code brute-forcing can be
implemented.
What is the affected version?
The keystone/master on github as of Oct 7th 2013 is affected.
References:
Link to oauth1 file and vulnerable code location (sql.py, line #210):
https:/
CWE-330: Use of Insufficiently Random Values:
(http://
RFC5849: http://
os.urandom(): http://
OAuth in keystone tutorial:
http://
# Patch
--- /tmp/keystone/
+++ /home/vagrant/
@@ -17,6 +17,8 @@
import datetime
import random
import uuid
+import os
+import binascii
from keystone.common import sql
from keystone.common.sql import migration
@@ -207,7 +209,7 @@
- token_dict[
+ token_dict[
# Test brute force
class MaliciousOAuth1
# modified from test_bad_verifier()
def test_bruteforce
# create consumer for oauth
consumer = self._create_
consumer_id = consumer.get('id')
consumer = oauth1.
url, headers = self._create_
# get request token
content = self.post(url, headers=headers)
credentials = urlparse.
request_key = credentials.
# authorize request token
url = self._authorize
body = {'roles': [{'id': self.role_id}]}
resp = self.put(url, body=body, expected_
verifier = resp.result[
# we are not going to use received oauth_verifier here, instead, we brute-force to find the valid oauth_verifier
for i in range(1000,10000):
url, headers = self._create_
# We expect 401 status code for most of requests since most oauth_verifier code
# that we try will be invalid.
# The test will crash at the valid oauth_verifier code when returned status = 201,
# which is different from the expected 401 status.
r = self.post(url, headers=headers, expected_
# Print out oauth_verifier, and raw response request that contains access token.
if (r == 201): # We have found correct oauth_verifier code
We are looking forward hearing from you.
Thank you.
Best,
Phuong Cao
Research Assistant
DEPEND group
Coordinated Science Laboratory
University of Illinois at Urbana Champaign
Urbana, IL 61801, USA
| Phuong Cao (pcao3) wrote | #1 |
| Phuong Cao (pcao3) wrote | #2 |
| Dolph Mathews (dolph) wrote | #3 |
| Jeremy Stanley (fungi) wrote | #4 |
| Phuong Cao (pcao3) wrote | #5 |
| Steve Martinelli (stevemar) wrote | #6 |
| Changed in keystone: | |
| status: | New → Confirmed |
| Adam Young (ayoung) wrote | #7 |
| Dolph Mathews (dolph) wrote | #8 |
| Steve Martinelli (stevemar) wrote | #9 |
| Adam Young (ayoung) wrote | #10 |
| Thierry Carrez (ttx) wrote | #11 |
| Changed in ossa: | |
| status: | New → Incomplete |
| Phuong Cao (pcao3) wrote | #12 |
| Dolph Mathews (dolph) wrote | #13 |
| information type: | Private Security → Public |
| no longer affects: | ossa |
| tags: | added: security |
| tags: | added: havana-rc-potential |
| tags: |
added: havana-backport-potential removed: havana-rc-potential |
| Changed in keystone: | |
| importance: | Undecided → Medium |
| Matthieu Huin (mhu-s) wrote | #14 |
| Matthieu Huin (mhu-s) wrote | #15 |
| Dolph Mathews (dolph) wrote | #16 |
| Changed in keystone: | |
| assignee: | nobody → Matthieu Huin (mhu-s) |
| Openstack Gerrit (openstack-gerrit) wrote Fix proposed to keystone (master) | #17 |
| Changed in keystone: | |
| status: | Confirmed → In Progress |
| Openstack Gerrit (openstack-gerrit) wrote Fix merged to keystone (master) | #18 |
| Changed in keystone: | |
| status: | In Progress → Fix Committed |
| Changed in keystone: | |
| milestone: | none → juno-1 |
| status: | Fix Committed → Fix Released |
| Changed in keystone: | |
| milestone: | juno-1 → 2014.2 |
> At step 4, assuming an attacker can sniff Alice's request token key.
If you can sniff for this, then you can also sniff for access tokens or just regular tokens, so I don't see this as imminently exploitable and I think this can be opened publicly.
The intent of the short OAuth verifier codes is to make it easy for Alice to type them manually, in case they are delivered to Alice via an alternative transport, such as SMS or a paper napkin. 32 bytes of entropy encoded in hex makes for a poor user experience in that scenario...
I'm happy to see the entropy increased here for Havana (perhaps we can also make it configurable?), but I don't want to require Alice to type a 32 character string (by default). Using 4 bytes of entropy instead of 32 (rendering 8 character hex strings) would produce 4,294,967,296 possible values instead of the existing 8999, which I think is sufficient to close this as an attractive attack vector.
In the future, we can pursue encoding with a higher base (for example, using base 36) but produce the same encoded string length, thus increasing the entropy further. Alternatively, we can disable request tokens after they've failed one or more verification attempts.