Improper Authorization in gogs/gogs

Valid

Reported on

Mar 6th 2022


Description

When Gogs is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login.

Proof of Concept

You can expire an account with chage -E0 <username> and still login.

Impact

Since disabling an account in PAM still allows to login via ssh-keys, it's common to set accounts to expire if you want to deny access. So accounts whom have been privilege revoked are still able to login.

Occurrences

Here's a patch since I don't want to make this public in a repository.

--- a/internal/auth/pam/pam.go
+++ b/internal/auth/pam/pam.go
@@ -26,5 +26,9 @@ func (c *Config) doAuth(login, password string) error {
                return err
        }

-       return t.Authenticate(0)
+    if err = t.Authenticate(0); err != nil {
+           return err
+    }
+
+       return t.AcctMgmt(0)
 }
We are processing your report and will contact the gogs team within 24 hours. 3 months ago
ysf
3 months ago

Researcher


@admin The gogs team is still working on the other issue they're frozen for. What is the freeze/unfreeze process? Can't find it in the FAQs and sure would like bounty if possible.

ysf modified the report
3 months ago
ysf
3 months ago

Researcher


A similar bug has been reported to Gitea, we should coordinate publishing them after both repositories have been fixed.

ysf
3 months ago

Researcher


Gogs have been contacted according to their security.md here: https://github.com/gogs/gogs/issues/6810

Joe Chen validated this vulnerability 3 months ago
ysf has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome
3 months ago

Admin


@ysf - the prize pot is frozen whilst the entire pot is being consumed by another pending report. Once the report has been reviewed that consumes the entire prize pot, 30 days will elapse before the prize pot refills again.

Created this issue here to help address this better! Feel free to leave your thoughts on the issue too.

ysf submitted a
3 months ago
We have sent a fix follow up to the gogs team. We will try again in 7 days. 3 months ago
Joe Chen confirmed that a fix has been merged on 64102b 3 months ago
ysf has been awarded the fix bounty
pam.go#L29 has been validated
to join this conversation