ServiceStack is affected by a signature verification bypass in the ServiceStack.Auth.JwtAuthProviderReader
method, which could be used to bypass the authentication mechanisms and/or to elevate privileges.
This security advisory is referred to a vulnerability found and resolved internally by ServiceStack’s development team, read the “Re-discovering a JWT Authentication Bypass in ServiceStack” for more information.
“ServiceStack is an open-source framework designed to be an alternative to the WCF, ASP.NET MVC, and ASP.NET Web API frameworks. It supports REST and SOAP endpoints, autoconfiguration of data formats, inversion of control containers, object-relational mapping, caching mechanisms, and much more.” For more information visit https://servicestack.net/.
The verification of a JWT
token consists of the server extracting the header
and the payload
of the token from a given request, re-calculating the signature server-side, and finally comparing the calculated signature with the one in the request through the VerifyPayload
function.
The VerifyPayload
function make usage of the following ServiceStack.EnumerableUtils.EquivalentTo
method:
|
|
The method is called with the server-side generated signature as bytes
and the request signature as other
.
As no length check is performed and the check is pre-set to the success value (var compare = 0
), it is possible to bypass the whole check by submitting an empty signature. If other.Length
is 0
then no checks are performed and the function will always return True
.
HEADER.PAYLOAD.SIGNATURE
becomes HEADER.PAYLOAD.
).An attacker can forge a valid JWT token with arbitrary content.
Upgrade ServiceStack to version 5.9.2 or later.
N/A
This advisory was first published on https://www.shielder.com/advisories/servicestack-jwt-signature-verification-bypass/
Date
2 November 2020