[Openstack-security] [Bug 1795800] Re: Timing oracle in core auth plugin simplifies brute-forcing usernames
Jeremy Stanley
fungi at yuggoth.org
Mon Dec 17 14:07:43 UTC 2018
** Summary changed:
- Username enumeration via response timing difference
+ Timing oracle in core auth plugin simplifies brute-forcing usernames
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1795800
Title:
Timing oracle in core auth plugin simplifies brute-forcing usernames
Status in OpenStack Identity (keystone):
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The response times for POST /v3/auth/tokens are significantly higher
for valid usernames compared to those of invalid ones, making it
possible to enumerate users on the system.
Examples:
# For invalid username
+ Request
POST /v3/auth/tokens HTTP/1.1
Host: hostname:5000
Connection: close
Content-Length: 141
Content-Type: application/json
{"auth":{"identity":{"methods":
["password"],"password":{"user":{"name":
"nonexisting","domain":{"name": "Default"},"password":
"devstacker"}}}}}
+ Response Time: <150ms
# For valid username ('admin' in this case)
+ Request
POST /v3/auth/tokens HTTP/1.1
Host: hostname:5000
Connection: close
Content-Length: 139
Content-Type: application/json
{"auth":{"identity":{"methods":
["password"],"password":{"user":{"name": "admin","domain":{"name":
"Default"},"password": "devstacker"}}}}}
+ Response time: >600ms
# Tested version
v3.8
[UPDATE 3 Oct 2018 5:01 AEST]
Looks like it's also possible to enumerate for valid "domain" too. There're 2 ways that I can see:
* With valid username: use the above user enum bug to guess the valid username, then brute the "domain" parameter. Response times are significantly higher for valid compared to invalid domains.
* Without valid username: get a baseline response time using invalid username AND invalid domain name. Bruteforce the "domain" param until the response time hits an average high. For me invalid domain falls in the 90-100ms range whereas valid ones show 100+ms. This one looks a bit more obscure i.e. timing difference is not as distinguishable, but should still be recognisable with a good sample size.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1795800/+subscriptions
More information about the Openstack-security
mailing list