[Openstack-security] [Bug 1795800] Re: Timing oracle in core auth plugin simplifies brute-forcing usernames
Gage Hugo
gagehugo at gmail.com
Wed Mar 18 14:42:29 UTC 2020
** Changed in: keystone
Assignee: Gage Hugo (gagehugo) => (unassigned)
** Changed in: keystone
Status: In Progress => Triaged
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1795800
Title:
Timing oracle in core auth plugin simplifies brute-forcing usernames
Status in OpenStack Identity (keystone):
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The response times for POST /v3/auth/tokens are significantly higher
for valid usernames compared to those of invalid ones, making it
possible to enumerate users on the system.
Examples:
# For invalid username
+ Request
POST /v3/auth/tokens HTTP/1.1
Host: hostname:5000
Connection: close
Content-Length: 141
Content-Type: application/json
{
"auth":{
"identity":{
"methods":[
"password"
],
"password":{
"user":{
"name":"nonexisting",
"domain":{
"name":"Default"
},
"password":"devstacker"
}
}
}
}
}
+ Response Time: <150ms
# For valid username ('admin' in this case)
+ Request
POST /v3/auth/tokens HTTP/1.1
Host: hostname:5000
Connection: close
Content-Length: 139
Content-Type: application/json
{
"auth":{
"identity":{
"methods":[
"password"
],
"password":{
"user":{
"name":"admin",
"domain":{
"name":"Default"
},
"password":"devstacker"
}
}
}
}
}
+ Response time: >600ms
# Tested version
v3.8
[UPDATE 3 Oct 2018 5:01 AEST]
Looks like it's also possible to enumerate for valid "domain" too. There're 2 ways that I can see:
* With valid username: use the above user enum bug to guess the valid username, then brute the "domain" parameter. Response times are significantly higher for valid compared to invalid domains.
* Without valid username: get a baseline response time using invalid username AND invalid domain name. Bruteforce the "domain" param until the response time hits an average high. For me invalid domain falls in the 90-100ms range whereas valid ones show 100+ms. This one looks a bit more obscure i.e. timing difference is not as distinguishable, but should still be recognizable with a good sample size.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1795800/+subscriptions
More information about the Openstack-security
mailing list