Associated Vulnerability
Title:Cisco node-jose open source library 数据伪造问题漏洞 (CVE-2018-0114)Description:Cisco node-jose open source library是美国思科(Cisco)公司的一个基于Web浏览器和node.js的服务器的JSON对象签名和加密的开源库。 Cisco node-jose open source library 0.11.0之前的版本中存在安全漏洞,该漏洞源于node-jose使用了JSON Web Signature (JWS)标准。远程攻击者可通过移除原签名伪造有效的JWS对象利用该漏洞重新签名令牌。
Description
Exploitation of a vulnerability in Cisco's node-jose, a JavaScript library created to manage JWT.
Readme
# CVE-2018-0114
Exploitation of a vulnerability in Cisco's node-jose, a JavaScript library created to manage JWT.
This vulnerability in Cisco's node-jose allows an attacker to forge malicious tokens.
JWT allows users to embed public keys (using the jwk value) inside the header of the token. However, the application should never trust those keys as an attacker can provide his own key and sign the message using the corresponding private key.
# Review
This issue impacts version prior to 0.11.
If we look at the changes introduced to fix this issue https://github.com/cisco/node-jose/commit/959a61d707ed2c8cf6582139a5605119283e4acb, one file is particularly interesting `(test/fixtures/jws.embedded_jwk.json)`:
```json
"signing": {
"protected": {
"alg": "PS256",
"jwk": {
"kty": "RSA",
"kid": "bilbo.baggins@hobbiton.example",
"use": "sig",
"n": "n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT-O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqVwGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuCLqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5gHdrNP5zw",
"e": "AQAB"
}
},
"protected_b64u": "eyJhbGciOiJQUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJraWQiOiJiaWxiby5iYWdnaW5zQGhvYmJpdG9uLmV4YW1wbGUiLCJ1c2UiOiJzaWciLCJuIjoibjRFUHRBT0NjOUFsa2VRSFB6SFN0Z0FiZ3M3YlRaTHdVQlpkUjhfS3VLUEVITGQ0ckhWVGVULU8tWFYyalJvamROaHhKV1REdk5kN25xUTBWRWlaUUh6X0FKbVNDcE1hSk1SQlNGS3JLYjJ3cVZ3R1VfTnNZT1lMLVF0aVdOMmxiemNFZTZYQzBkQXByNXlkUUxySHFrSEhpZzNSQm9yZGFaNkFqLW9CSHFGRUhZcFBlN1RwZS1PZlZmSGQxRTZjUzZNMUZaY0QxTk5MWUQ1bEZIcFBJOWJUd0psc2RlM3VoR3FDMFpDdUVIZzhsaHp3T0hydElRYlMwRlZiYjlrMy10VlRVNGZnXzNMX3ZuaVVGQUt3dUNMcUtuUzJCWXdkcV9telNuYkxZN2hfcWl4b1I3amlnM19fa1JodWF4d1VrUno1aWFpUWtxZ2M1Z0hkck5QNXp3IiwiZSI6IkFRQUIifX0",
"sig-input": "eyJhbGciOiJQUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJraWQiOiJiaWxiby5iYWdnaW5zQGhvYmJpdG9uLmV4YW1wbGUiLCJ1c2UiOiJzaWciLCJuIjoibjRFUHRBT0NjOUFsa2VRSFB6SFN0Z0FiZ3M3YlRaTHdVQlpkUjhfS3VLUEVITGQ0ckhWVGVULU8tWFYyalJvamROaHhKV1REdk5kN25xUTBWRWlaUUh6X0FKbVNDcE1hSk1SQlNGS3JLYjJ3cVZ3R1VfTnNZT1lMLVF0aVdOMmxiemNFZTZYQzBkQXByNXlkUUxySHFrSEhpZzNSQm9yZGFaNkFqLW9CSHFGRUhZcFBlN1RwZS1PZlZmSGQxRTZjUzZNMUZaY0QxTk5MWUQ1bEZIcFBJOWJUd0psc2RlM3VoR3FDMFpDdUVIZzhsaHp3T0hydElRYlMwRlZiYjlrMy10VlRVNGZnXzNMX3ZuaVVGQUt3dUNMcUtuUzJCWXdkcV9telNuYkxZN2hfcWl4b1I3amlnM19fa1JodWF4d1VrUno1aWFpUWtxZ2M1Z0hkck5QNXp3IiwiZSI6IkFRQUIifX0.SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4",
"sig": "XslzHQKM0UogsxugMxj0vmFhNijnmCksPyQ0x8SQ5xC9rEg4_3n_22bdJkM6CQWiTSDUuBCgXo3eqb6GhoPnYgnlGouDy0dIeaihl5Nr85uncW29I39OEZel8UtVGTfOxwssibymheBjKVp0_umkQANicz2_JTLGJQ42BgDVq6L2ZyrqIu7onr9B1XC-O9uzN2xoDfRwK7jCJjH1TPH09W9Pi1iLiXuf7liKH5dBDFzfjCqS4p3PQ6KtdT_gMTOg35PErxFfoi_53cr4l-rUv5ZkdcmIadGjMHDBVpfKSHhkZRVrvR0q6Go6TyvzL5l_hONYKKn09pkhFDjN9JvZeQ"
```
Especially the value `sig-input`, which, once decoded, give us the following data:
```json
{
"alg":"PS256",
"jwk": {
"kty":"RSA",
"kid":"bilbo.baggins@hobbiton.example",
"use":"sig",
"n":"n4EPtAOCc9Alke...........rNP5zw",
"e":"AQAB"
}
}
```
This is the format we will need to follow to get the right header for our payload to work.
# Exploitation
- Create a private RSA key using `openssl`.
- Extract `n` and `e` from the public composent of the private key you just created.
- Sign your payload using the same private key.
- You need to change the `n` and `e` values in your payload to make sure they match the private key you're using.
- You need to create the right payload for the body of your token.
- You need to make sure the algorithm `alg` is the one you're using to sign. Most likely you will need to change the value to `RS256`.
## Example:
- https://github.com/zi0Black/POC-CVE-2018-0114/blob/master/jwk-node-jose.py
# Resources:
- https://nvd.nist.gov/vuln/detail/CVE-2018-0114
- https://blog.pentesteracademy.com/hacking-jwt-tokens-jws-standard-for-jwt-666810809323
File Snapshot
[4.0K] /data/pocs/c95e6cea78ead97a050dd61cac45776ff98b5a2d
└── [4.2K] README.md
0 directories, 1 file
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.