Unauth RCE in Cowboy

Question

Unauth RCE in Cowboy

ssd-disclosure opened this issue 2 years ago · comments

SSD Secure Disclosure commented 2 years ago

Hi,

We would like to report an RCE in Cowboy, the vulnerability allows unauthenticated attackers to execute commands on the remote server via an authentication bypass

Is this the right place to report such a vulnerability?

Loïc Hoguin · Answer 1 · Thu Jun 30 2022 18:20:59 GMT+0800 (China Standard Time)

Can you be a little more specific? Cowboy does not provide authentication as a feature, it is a library, and authentication is provided and implemented by the users of the library.

SSD Secure Disclosure · Answer 2 · Thu Jun 30 2022 20:29:54 GMT+0800 (China Standard Time)

Hi I am attaching the complete report Maybe it’s a good idea to mark it as security until you confirm it’s not a security / is a security vuln

On Thu, Jun 30, 2022 at 13:21 Loïc Hoguin ***@***.***> wrote: Can you be a little more specific? Cowboy does not provide authentication as a feature, it is a library, and authentication is provided and implemented by the users of the library. — Reply to this email directly, view it on GitHub <#1574 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALOK5XCMPTBVZFQWRVADESLVRVYLHANCNFSM52IUBXQQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

-- Thanks, SSD Secure Disclosure

Loïc Hoguin · Answer 3 · Thu Jun 30 2022 20:41:01 GMT+0800 (China Standard Time)

I don't think you can attach files via replies to Github tickets. You can send me an email at contact@ninenines.eu if you want.

SSD Secure Disclosure · Answer 4 · Thu Jun 30 2022 20:43:11 GMT+0800 (China Standard Time)

Sent

On Thu, Jun 30, 2022 at 15:41 Loïc Hoguin ***@***.***> wrote: I don't think you can attach files via replies to Github tickets. You can send me an email at ***@***.*** if you want. — Reply to this email directly, view it on GitHub <#1574 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALOK5XFXAGBKAF5CEUOOT4DVRWIWRANCNFSM52IUBXQQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

-- Thanks, SSD Secure Disclosure

Loïc Hoguin · Answer 5 · Thu Jun 30 2022 21:25:14 GMT+0800 (China Standard Time)

OK I see. There's a few misunderstandings I think.

First the issue is not related to Cowboy. The default value is set by Erlang.mk so I guess that would have been more appropriate, but I don't think it matters overall because...

The distribution cookie is not a security mechanism as is explained in the Note here: https://www.erlang.org/doc/reference_manual/distributed.html#security

And which I will quote:

"Security" here does not mean cryptographically secure, but rather security against accidental misuse, such as preventing a node from connecting to a cluster with which it is not intended to communicate.

Furthermore, the communication between nodes is per default in clear text. If you need strong security, please see Using TLS for Erlang Distribution in the SSL application's User's Guide.

Also, the default random cookie mentioned in the following text is not very unpredictable. A better one can be generated using primitives in the crypto module, though this still does not make the initial handshake cryptographically secure. And inter-node communication is still in clear text.

So I believe Erlang.mk is using the cookie in the correct way which is to identify the cluster the nodes will be a part of.

Now the defaults definitely are not secure but it is not the changing of the cookie that will help. Instead users that need it should use TLS for Erlang Distribution and verify certificates of connected nodes. But that's also not something we can really do by default as a library.

SSD Secure Disclosure · Answer 6 · Tue Oct 11 2022 16:13:04 GMT+0800 (China Standard Time)

Hi I see I will pass this information to the researcher - thank you for taking the time to look into it Hopefully this wasn’t too much of a hassle

On Thu, Jun 30, 2022 at 16:25 Loïc Hoguin ***@***.***> wrote: OK I see. There's a few misunderstandings I think. First the issue is not related to Cowboy. The default value is set by Erlang.mk so I guess that would have been more appropriate, but I don't think it matters overall because... The distribution cookie is not a security mechanism as is explained in the Note here: https://www.erlang.org/doc/reference_manual/distributed.html#security And which I will quote: "Security" here does not mean cryptographically secure, but rather security against accidental misuse, such as preventing a node from connecting to a cluster with which it is not intended to communicate. Furthermore, the communication between nodes is per default in clear text. If you need strong security, please see Using TLS for Erlang Distribution <https://www.erlang.org/doc/apps/ssl/ssl_distribution.html>in the SSL application's User's Guide. Also, the default random cookie mentioned in the following text is not very unpredictable. A better one can be generated using primitives in the crypto module, though this still does not make the initial handshake cryptographically secure. And inter-node communication is still in clear text. So I believe Erlang.mk is using the cookie in the correct way which is to identify the cluster the nodes will be a part of. Now the defaults definitely are not secure but it is not the changing of the cookie that will help. Instead users that need it should use TLS for Erlang Distribution <https://www.erlang.org/doc/apps/ssl/ssl_distribution.html>and verify certificates of connected nodes. But that's also not something we can really do by default as a library. — Reply to this email directly, view it on GitHub <#1574 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALOK5XH2F6HDUYYRIHMMORLVRWN4NANCNFSM52IUBXQQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

-- Thanks, SSD Secure Disclosure