CVE-2022-0686 Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

This issue became known in the community when Dependo published a blog post about it and published a PoC for proving the concept. In order to bypass the authorization flow, you must control the user’s key and send arbitrary data through it. You don’t have to be a hacker. All you have to do is find out what the user is authorized to do and trick the system into doing it. In most cases, this can be done by adding a special piece of data into the request that the server will then act upon.

Where does the authorization request to Keycloak come from?

The authorization request to Keycloak comes from the following places:
- AuthorizationRequest.java in the org.jpop.framework package
- AuthorizationRequestImpl.java in the org.jpop.framework package
- AuthenticationControllerImpl.java in org.jpop
- The JAX-WS endpoint that is created when you create a web service with the WebServiceGenerator application plugin

What is Authorization By Default?

Authorization by default is a common practice that helps to protect against unauthorized access by users. It will ask for permission to perform an action before performing it and only allow the user to do what they are authorized to do. This way, if someone tries to use your account for something untoward, you won’t be able to because your account has been locked.
The way this works is by adding a special piece of data into the request that the server will then act upon. For example, you could add a "User ID" or "Access Token" variable into the request that would help identify the user and let them do what they are authorized to do. The server will then act on this special piece of data without checking any other pieces of information or verifying whether it was sent from the right person.

Authorization Bytes

This issue is an authorization byte overflow vulnerability. By sending a special piece of data to the server, you can trick it into doing something that would normally not be allowed.
The Authorization Bytes are a string of bytes used for authorizing requests and determining access rights. When a user logs in, their key is used to encrypt this string of bytes and send it back to the server. However, there is no check for length before the data is sent. If this special extra piece of data is added into the Authorization Bytes, then it will cause an overflow and overwrite other parts of the request with your arbitrary data.

How does it work?

The user sends a request to the server for an API key. The server sends back a temporary authorization code and returns the API key. The user then uses this code to send arbitrary data through the key. This happens because the server doesn’t verify that it came from the requesting user, but rather just acts on it as if it was authorized and valid.
If you want to see how this works in action, check out Dependo’s blog post on this issue.

Timeline

Published on: 02/20/2022 13:15:00 UTC
Last modified on: 04/18/2022 19:34:00 UTC

References

• https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c
• https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5
• https://security.netapp.com/advisory/ntap-20220325-0006/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0686