CVE-2021-3967: Improper Access Control in zulip

Description

According to the current design of the application, when the user wants to get value of api_key, API /json/fetch_api_key will require password to authentication. However, the application exists another API routed at /json/users/me/api_key/regenerate that allows regenerating api_key value and doesn’t requiring password authentication. Attacker who gets the user’s valid session can call vulnerable API to extract the api_key value without user’s password.

Proof of Concept****I’m using online service at https://testingnnnn.zulipchat.com.

• Step 1: Login as normal user, go to https://testingnnnn.zulipchat.com/#settings/account-and-privacy, click "Show/change your API key", application will ask for password to perform the action.

• Step 2: In current session, call this request to regenerate and get value of api_key

  POST /json/users/me/api_key/regenerate HTTP/2 Host: testingnnnn.zulipchat.com Cookie: [YOUR_VALID_COOKIE] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Csrftoken: [VALID_CSRF_TOKEN] X-Requested-With: XMLHttpRequest Referer: https://testingnnnn.zulipchat.com/ Connection: close

• PoC:

Show api_key: https://drive.google.com/file/d/1_A7KQeoyByA3xYwIyJ1k9ZTywabwlEMM

Regenerate api_key: https://drive.google.com/file/d/1Ob96FTju4irz2Hn2sXBXz_JtMlEAmAp0

Impact

Bypass the protection mechanism in the design of the application. Attackers can get the api_key value without knowing user’s password.