MYPROXY-OAUTH-2013-0001


Summary:

 

A malicious party could fill unbounded amounts of disk space on the disk used for the OAuth portal's data stores.


Component Vulnerable Versions Platform Availability Fix Available
registration servlet all through 1.0.5 all not known to be publicly available 1.0.6
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified no special access any low medium
Fixed Date Credit
2013-May-09 Karl Mazurak

Access Required:

no special access

Anyone who can connect to the OAuth portal via the web can make use of this vulnerability.

Effort Required:

low

The attacker must generate at least one valid public RSA key; simple web automation tools would suffice for carrying out an attack.

Impact/Consequences:

medium

In a worst case scenario the attacker could fill the entire disk before the attack is noticed. The amount of work required to clean up after such an attack would vary depending on the effort made by the attacker.

Full Details:

 

MyProxy's OAuth portal includes a registration servlet, intended to be used by to supply information about science gateways as prospective OAuth clients. Submitting this form creates new entries in the clients and clientApprovals data stores and sends email to a preconfigured operator address. The entries in these data stores are not automatically deleted.

Submitting the registration form requires only a valid RSA public key, and the key need not be unique. There is nothing in place to prevent a malicious user from manually or automatically resubmitting this form without limit. This could eventually fill the disk space that backs the portal's data stores, but not before inundating the operator with email.

The command line approver utility supplied by the OAuth for MyProxy project does not include any functionality for deleting entries or sorting through large amounts of data, so cleanup would need to be done via manual database or filesystem operations. Depending on the method by which the attacker generated bogus entries, this might amount to deleting all non-approved client entries, potentially losing information about real prospective clients.

Cause:

absence of rate limiting

This vulnerability is caused by the absence of anything that would limit the repeated resubmission of a form when the submission of that form generates data that must be manually processed.

Proposed Fix:

 

Many techniques exist to allow websites to prevent repeated resubmission of forms that generate work for site operators—captchas, images containing letters and numbers that are difficult to discern by automated means, are a common example. Adding such a well-tested implementation of such functionality could significantly limit the amount of work that could be created by a malicious user and essentially rule out threats to available disk space.

Better tools for allowing an operator to handle a large number of requests would assist in difficult cleanup scenarios. For instance, a tool might be able to group requests by span of time, common public key, or other attributes, making it easier to separate bogus entries from legitimate ones.

Actual Fix:

 

The MyProxy OAuth Portal team implemented a configurable server-side limit on active pending client requests.

Acknowledgment:

 

This research funded in part by Department of Homeland Security grant FA8750-10-2-0030 (funded through AFRL), National Science Foundation grant OCI-1127210, and NATO grant ICS.MD.CLG 984138.