| Service | NorthernFiles |
|---|---|
| Author(s) | Lorenzo Leonardini <@pianka>, Matteo Rossi <@mr96> |
| Store(s) | File content & file metadata |
| Category(ies) | crypto, web |
| Port(s) | 80 |
| FlagId(s) | {user, file} |
| Checker(s) | store1 |
NorthernFiles is an E2E encrypted file storage service. You can upload and share encrypted files via a web platform and a CLI.
The CLI supports a legacy authentication method, which uses the private key to sign each request instead of using a cryptographic proof with the auth microservices. The request signature is checked by the auth_proxy. In case of success an access token is retrieved from the auth server, from the /api/auth/internal/token/<uuid:id> endpoint. Nginx is configured so that this endpoint is not accessible from the outside, but an SSRF vulnerability would allow us to impersonate any user and read their files' metadata.
Nginx is configured in a weird way, so that it follows redirects internally. We can exploit this together with an open redirect in the /logout endpoint.
The exploit loads the page /logout?url=http://auth/internal/token/<uuid>, where <uuid> is the id of the target user. The response will contain an authentication token for the target user, which can then be used to access their files.
Fix: remove the weird nginx configuration or fix the open redirect
Login works with an OPAQUE-like scheme, to allow passwords to be unknown to the server at any time. The client part is done in the wasm library, while the server part is done by python and the compiled python module in the backend.
During registration the server receives a Capsule object, containing two randoms,
In the login protocol, the client generates the values HKDF instantiation to login. If we can calculate this key without knowing the password, we are done.
The key is calculated as id is the user id. So we can make
Fix: add a check that the generated key is not a trivial one.
| store | exploit |
|---|---|
| 1 | exploit1-ssrf.py |
| 1 | exploit2-login-bypass.py |