CVE-2021-43448: Web socket tampering (e.g. user names)

[strawp]

Any questions around CVE-2021-43448

[strawp]

Moved over from question in email.

This is a general issue and is present even if the web socket is fully authenticated. An attacker can alter the contents of a web socket command to change properties such as username, and carry out actions without any access control over it. A good visual example of this is the chat feature. Connect pwnlyoffice to a document that is also open in the browser and you will find you can join in the chat as any user name.

Let me know if you can reproduce this. I will create a gif of this working if not

[ShockwaveNN]

We were able to reproduce it using your app with

./pwnlyoffice.py -d 1234 -u https://theonlyofficesiteurl -U Bob chat

(if I not mistaken that its about 43448)

But as far as we understand - this REQUIRE knowledge of JWT key/disabled JWT on DocumentServer - and this is not normal for setup of DocumentServer, admins should setup uniq and private JWT key

[strawp]

I don't think JWT affects this issue but I can double check. Do you still have a test instance with JWT auth enabled I can use?

…

On Tue, Jan 4, 2022 at 3:38 PM Pavel Lobashov ***@***.***> wrote: We were able to reproduce it using your app with ./pwnlyoffice.py -d 1234 -u https://theonlyofficesiteurl -U Bob chat (if I not mistaken that its about 43448) But as far as we understand - this REQUIRE knowledge of JWT key/disabled JWT on DocumentServer - and this is not normal for setup of DocumentServer, admins should setup uniq and private JWT key — Reply to this email directly, view it on GitHub <#8 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEF5VNJ3M2HGLB7RF3KDXDUUMH5VANCNFSM5LHAUBEQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[ShockwaveNN]

Sorry, we are currently on holiday vacation until next week and we turned off all extra services, and I am unable to set up them without extra help

That I got from my records -
if we disable JWT on the server:
./pwnlyoffice.py -d 953505598 -u http://nextcloud.url -U Bob chat - this work and type to chat is possible

If we enable JWT on the server (with simple JWT key 123)
./pwnlyoffice.py --usejwt --jwtsecret '123' -d 953505598 -u http://nextcloud.url -U Bob chat - this works and typing to chat is possible

But if we enable JWT with a simplest secret (123) and call:
./pwnlyoffice.py -d 953505598 -u http://nextcloud.url -U Bob chat - this would fail, but sorry do not record which error is happened

So knowing JWT key is needed as far as I understand

[strawp]

So, in the second case, the JWT is allowing authentication but the server isn't checking that the user supplied in subsequent chat commands is the user that authenticated. JWT is only required for the "auth" command.

…

On Tue, Jan 4, 2022 at 4:10 PM Pavel Lobashov ***@***.***> wrote: Sorry, we are currently on holiday vacation until next week and we turned off all extra services, and I am unable to set up them without extra help That I got from my records - if we disable JWT on the server: ./pwnlyoffice.py -d 953505598 -u http://nextcloud.url -U Bob chat - this work and type to chat is possible If we enable JWT on the server (with simple JWT key 123) ./pwnlyoffice.py --usejwt --jwtsecret '123' -d 953505598 -u http://nextcloud.url -U Bob chat - this works and typing to chat is possible But if we enable JWT with a simplest secret (123) and call: ./pwnlyoffice.py -d 953505598 -u http://nextcloud.url -U Bob chat - this would fail, but sorry do not record which error is happened — Reply to this email directly, view it on GitHub <#8 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEF5VMXM6JMJAJYER2FTEDUUMLWRANCNFSM5LHAUBEQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[ShockwaveNN]

In that case I need to wait for my colleagues to decide if this behaviour is not by design
I understand you, but I'm not so good in internal mechanism of sockets and JWT auth