MySQL token (Keystone) retain access via an expired token

2014.08.25
Credit: Brant Knudson
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2014-5251
CWE: CWE-255


CVSS Base Score: 4.9/10
Impact Subscore: 4.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

Bug Description Since mysql only stores timestamps with an accuracy of seconds rather than microseconds, doing comparisons of token expiration times will fail and tokens will not show up as being revoked. A breakpoint in keystone/contrib/revoke/model.py, is_revoked(): mysql: (Pdb) p self.revoke_map {'trust_id=*': {'consumer_id=*': {'access_token_id=*': {'expires_at=2014-07-22 22:55:53': {'domain_id=*': {'project_id=*': {u'user_id=949c28307de74cafb4ab07c6ada75d6c': {'role_id=*': {'issued_before': datetime.datetime(2014, 7, 22, 21, 55, 59, 610579)}}}}}}}}} DB2: (Pdb) p self.revoke_map {'trust_id=*': {'consumer_id=*': {'access_token_id=*': {'expires_at=2014-07-22 22:58:44.322976': {'domain_id=*': {'project_id=*': {u'user_id=c4ed3fa9ee5f4e02b580389400a817e0': {'role_id=*': {'issued_before': datetime.datetime(2014, 7, 22, 21, 58, 49, 390556)}}}}}}}}} This is in add_event in model.py: mysql: (Pdb) event.expires_at datetime.datetime(2014, 7, 22, 23, 28, 2) db2: (Pdb) event.expires_at datetime.datetime(2014, 7, 22, 23, 22, 40, 481090)

References:

https://bugs.launchpad.net/keystone/+bug/1347961


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top