Skip to content

Keycloak: Local Temporary Directory Hijacking Vulnerability

Moderate
JLLeitschuh published GHSA-7gf3-89f6-823j Dec 22, 2021

Package

maven org.keycloak:keycloak-services (Maven)

Affected versions

12.0.0 < 13.0.0

Patched versions

13.0.0

Description

Utilizing a custom CodeQL query written as a part of the GitHub Security Lab Bug Bounty program, I've unearthed a local temporary directory hijacking vulnerability.

This particular vulnerability impacts Keycloak/keycloak

You can see the custom CodeQL query utilized here:
https://lgtm.com/query/7674880310425951666/

This particular vulnerability exists because on unix-like systems (not including MacOS) the system temporary directory is shared between all users.
As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.

In the worse case scenario, this can lead to a local privilege escalation vulnerability, as it did in this vulnerability I disclosed in Jetty:
GHSA-g3wg-6mcf-8jj6

In this case, it does not look like code is explicitly intended to be written to these directories. However, it does look like the GzipResourceEncodingProviderFactory.java is used as the creator of a cache. Thus, a malicious user can perform cache poisoning.

Additionally, DirExportProvider.java looks like it's being used to export information. This information can be corrupted by a different user.

One of many root causes here is that mkdir and mkdirs do not fail if the directory already exists. They merely return false. As such, an attacker can create these directories before the java process creates them, but with wider user permissions. Since these directory names are not in any way random, the attacker can simply create these directories ahead of Keycloak. When this happens, the java process doesn't complain that the directories already exist, mkdir and mkdirs simply return false.

However, assuming that the java process is the first thing to create these directories, mkdir and mkdirs will only set the directory following the default umask (I believe); by default that means that these directories are created with the permissions drwxr-xr-x.
Thus allowing a malicious local user to read the contents of this temporary directory.

Official Disclosure

https://access.redhat.com/security/cve/cve-2021-20202

Official Fix

https://github.com/keycloak/keycloak/pull/7859/files

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE ID

CVE-2021-20202

Weaknesses

Credits