exploit the possibilities

FusionAuth-SAMLv2 0.2.3 Message Forging

FusionAuth-SAMLv2 0.2.3 Message Forging
Posted Oct 2, 2020
Authored by Felix Sieges

Unauthenticated users can send forged messages to the FusionAuth to bypass authentication, impersonate other users or gain arbitrary roles. The SAML message can be send to the application without a signature even if this is required. The impact depends on individual applications that implement fusionauth-samlv2. Version 0.2.3 is vulnerable.

tags | exploit, arbitrary
advisories | CVE-2020-12676
MD5 | f8a52bf9494d332e9b0a5df53b18c1c8

FusionAuth-SAMLv2 0.2.3 Message Forging

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: SAML v2.0 bindings in Java using JAXB
# Vendor: FusionAuth
# CSNC ID: CSNC-2020-002
# CVE ID: CVE-2020-12676
# Subject: Signature Exclusion Attack
# Risk: High
# Effect: Remotely exploitable
# Author: Felix Sieges <felix.sieges@compass-security.com>
# Date: 2020-09-30
#
#############################################################

Introduction:
-------------
FusionAuth [1] provides authentication, authorization, and user management for any app.
SAML v2.0 bindings in Java using JAXB are a library used to integrate SAML
Authentication with Java Applications. Compass Security [2] identified a vulnerability
that allows remote attackers to forge messages and bypass authentication via a SAML
assertion that lacks a Signature element, aka a "Signature exclusion attack".


Affected:
---------
Vulnerable:
fusionauth-samlv2 0.2.3

Not vulnerable:
fusionauth-samlv2 0.2.4

Not tested:
No other version was tested, but it is believed for the older versions to be
vulnerable as well.


Technical Description
---------------------
Unauthenticated users can send forged messages to the FusionAuth to bypass
Authentication, impersonate other users or gain arbitrary roles. The SAML
Message can be send to the Application without a signature even if this is
required. The impact depends on individual applications that
implement fusionauth-samlv2.

The code which is responsible to verify the signature is called from the parseResponse
function [3]. The function checks whether a signature must be verified and if so
the function verifySignature is called to do signature verification checks.

https://github.com/FusionAuth/fusionauth-

```
public AuthenticationResponse parseResponse(String encodedResponse, boolean verifySignature, PublicKey key)
throws SAMLException {

AuthenticationResponse response = new AuthenticationResponse();
byte[] decodedResponse = Base64.getMimeDecoder().decode(encodedResponse);
response.rawResponse = new String(decodedResponse, StandardCharsets.UTF_8);

Document document = parseFromBytes(decodedResponse);
if (verifySignature) {
verifySignature(document, key);
}
```


In the function verifySignature [4] the SAML message is parsed after validation that a
signature is attached to the message. If no signatures exist the function just returns.
Hence the parseReponse method assumes that the signature is valid and the SAML message
will be processed further.


```
private void verifySignature(Document document, Key key) throws SAMLException {
// Fix the IDs in the entire document per the suggestions at http://stackoverflow.com/questions/17331187/xml-dig-sig-error-after-upgrade-to-java7u25
fixIDs(document.getDocumentElement());

NodeList nl = document.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nl.getLength() == 0) {
return;
}

for (int i = 0; i < nl.getLength(); i++) {
DOMValidateContext validateContext = new DOMValidateContext(key, nl.item(i));
XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");
try {
XMLSignature signature = factory.unmarshalXMLSignature(validateContext);
boolean valid = signature.validate(validateContext);
if (!valid) {
throw new SAMLException("Invalid SAML v2.0 authentication response. The signature is invalid.");
}
} catch (MarshalException e) {
throw new SAMLException("Unable to verify XML signature in the SAML v2.0 authentication response because we couldn't unmarshall the XML Signature element", e);
} catch (XMLSignatureException e) {
throw new SAMLException("Unable to verify XML signature in the SAML v2.0 authentication response. The signature was unmarshalled we couldn't validate it for an unknown reason", e);
}
}
}
}
```

Workaround / Fix:
-----------------
Upgrade to fusionauth-samlv2 0.2.4, where the signature checks are performed correctly

#TODO
Timeline:
---------
2020-04-29: Discovery by Felix Sieges
2020-05-06: Assigned CVE-2020-12676
2020-05-06: Initial vendor notification
2020-05-06: Initial vendor response
2020-12-05: Release of fixed Version
2020-09-30: Coordinated public disclosure date


References:
-----------
[1] https://fusionauth.io/
[2] https://compass-security.com
[3] https://github.com/FusionAuth/fusionauth-samlv2/blob/master/src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java#L502
[4] https://github.com/FusionAuth/fusionauth-samlv2/blob/dbcf3ccabbc89f43ca322c1526a6a3589e3a1f1f/src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java#L820



Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    1 Files
  • 26
    Oct 26th
    17 Files
  • 27
    Oct 27th
    19 Files
  • 28
    Oct 28th
    29 Files
  • 29
    Oct 29th
    13 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close