novnc allowing open direction which could potentially be used for phishing

Bug #1927677 reported by sirswa on 2021-05-07
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Undecided
Unassigned
Train
Undecided
Unassigned
Ussuri
Undecided
Unassigned
Victoria
Undecided
Unassigned
Wallaby
Undecided
Unassigned
OpenStack Security Advisory
Undecided
Unassigned

Bug Description

This bug report is related to Security.

Currently novnc is allowing open direction, which could potentially be used for phishing attempts

To test.
https://<sites' vnc domain>//example.com/%2F..
include .. at the end

For example:
http://vncproxy.my.domain.com//example.com/%2F..

It will redirect to example.com. You can replace example.com with some legitimate domain or spoofed domain.

The description of the risk is
By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance.

Revision history for this message
sirswa (sirswa) wrote :

You can also test from the host that running novnc service,

nova:~# curl -v 'http://127.0.0.1:6080//google.com/%2F..'
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 6080 (#0)
> GET //google.com/%2F.. HTTP/1.1
> Host: 127.0.0.1:6080
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: WebSockify Python/3.6.9
< Date: Fri, 07 May 2021 04:49:39 GMT
< Location: //google.com/%2F../
* no chunk, no close, no size. Assume close to signal end
<

Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
melanie witt (melwitt) wrote :

This bug report reminds me of an old bug [1] we dealt with in the past where the canned vnc_auto.html and vnc.html pages allowed injection of arbitrary HTML into them (fixed in noVNC 0.6.2) [2].

vnc_auto.html (vnc_lite.html as of v1.0.0) and vnc.html have a feature where a host and port can be specified as query parameters in the URL, example [3]:

  http://1.2.3.4:6080/vnc_auto.html?host=6.7.8.9&port=6080

and it will connect to a noVNC server running on that host:port as the source of data provided to vnc_auto.html. The bug [2] meant that if a user specified host:port in the URL query parameters, a potentially malicious noVNC server running on that host:port could inject arbitrary HTML into the vnc_auto.html being served on the user's machine.

I mention that because it seems like the host:port functionality could be similarly used to phish. I'm thinking if someone ran their own noVNC server at host:port and got a user to click on a link with ?host&port in it, they could steal credentials if the user didn't notice what machine they're connecting to.

If that's the case, I'm not sure this redirect behavior is much different than what is already built-in to the vnc_lite.html and vnc.html pages that come with noVNC.

Aside from that, it's not clear to me whether this redirect behavior is something we (nova) control or if it's being done by noVNC itself. If it's the latter, I'm not sure whether we could do anything to intercept it or if it's something that would have to be changed in noVNC.

I'm going to add noVNC to this bug to get their input about the redirect behavior.

[1] https://bugs.launchpad.net/horizon/+bug/1656435
[2] https://github.com/novnc/noVNC/issues/748
[3] https://github.com/novnc/noVNC/blob/v1.1.0/vnc_lite.html#L14-L15

Revision history for this message
melanie witt (melwitt) wrote :

> I'm going to add noVNC to this bug to get their input about the redirect behavior.

Looks like I can't do that because noVNC and websockify use github issues and those can't be private security. But if it is indeed an issue in noVNC or websockify, then it is probably OK to go ahead and report it publicly in those projects.

I'm going to do some local testing to determine whether this redirect is something we could intercept and handle or if it happens before we (websockify plugin) are called. If it doesn't appear we can intercept it, we can switch this to public and I can report an issue for noVNC or websockify on github.

Revision history for this message
melanie witt (melwitt) wrote :

OK, I really went down the rabbit hole with this one.

The tl;dr is that this is a known issue in the python standard library [1], in the http.server.SimpleHTTPRequestHandler, which WebSockifyRequestHandler derives from and which we ultimately derive from with our NovaProxyRequestHandler.

I found that we _can_ intercept this in our code and prevent an open redirect. It could be considered hacky, but I'm attaching a patch that prevents the redirect. It is code copied from a comment on the python issue [2].

The concern about the sample code in the issue is that such code might reject legitimate requests in certain cases. I don't believe we have such a concern with the nova console proxy.

Let me know what you think.

[1] https://bugs.python.org/issue32084
[2] https://bugs.python.org/issue32084#msg306545

Revision history for this message
melanie witt (melwitt) wrote :

Also, I'm thinking we could make this bug public considering the root cause of the behavior is a public issue in the python standard http.server.SimpleHTTPRequestHandler.

Revision history for this message
melanie witt (melwitt) wrote :

Also, I have tested the patch in comment 5 in devstack and verified it works to return a 400 Bad Request if "//" are included in the URL to redirect, provided that the browser has not previously cached a past redirect.

I used the following URL to test: http://127.0.0.1:6080//google.com/%2F..

Jeremy Stanley (fungi) on 2021-05-13
description: updated
information type: Private Security → Public
information type: Public → Public Security
Revision history for this message
Jeremy Stanley (fungi) wrote :

Thanks for digging into this, Melanie! I've ended the embargo and switched to Public Security given the relatively low risk this represents and its relationship with known issues in WebSockify/stdlib.

If the patch is sufficient and gets backported to stable branches, we could issue an advisory (class A in our report taxonomy). We could also consider it a workaround for a bug in a dependency (class C2), but that gets into determining whether the vulnerability is in the dependency or merely in the way we're using it. I'll leave the security advisory task incomplete for the time being, and we'll see how the fix progresses in review.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/nova/+/791297

Changed in nova:
status: New → In Progress
melanie witt (melwitt) on 2021-05-13
tags: added: console
Revision history for this message
sirswa (sirswa) wrote : Re: [Bug 1927677] Re: novnc allowing open direction which could potentially be used for phishing

Hi Melanie

The is for the investigation and your effort. Really appreciate that.

Regards
sw3

On Sat, 15 May 2021 at 1:06 am, melanie witt <email address hidden>
wrote:

> ** Also affects: nova/train
> Importance: Undecided
> Status: New
>
> ** Also affects: nova/ussuri
> Importance: Undecided
> Status: New
>
> ** Also affects: nova/wallaby
> Importance: Undecided
> Status: New
>
> ** Also affects: nova/victoria
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1927677
>
> Title:
> novnc allowing open direction which could potentially be used for
> phishing
>
> Status in OpenStack Compute (nova):
> In Progress
> Status in OpenStack Compute (nova) train series:
> New
> Status in OpenStack Compute (nova) ussuri series:
> New
> Status in OpenStack Compute (nova) victoria series:
> New
> Status in OpenStack Compute (nova) wallaby series:
> New
> Status in OpenStack Security Advisory:
> Incomplete
>
> Bug description:
> This bug report is related to Security.
>
> Currently novnc is allowing open direction, which could potentially be
> used for phishing attempts
>
> To test.
> https://<sites' vnc domain>//example.com/%2F..
> include .. at the end
>
> For example:
> http://vncproxy.my.domain.com//example.com/%2F..
>
> It will redirect to example.com. You can replace example.com with some
> legitimate domain or spoofed domain.
>
> The description of the risk is
> By modifying untrusted URL input to a malicious site, an attacker may
> successfully launch a phishing scam and steal user credentials.
> Because the server name in the modified link is identical to the
> original site, phishing attempts may have a more trustworthy appearance.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions
>
--
Sent from Gmail Mobile. Please excuse random autocorrects and "tpyos"

Revision history for this message
sirswa (sirswa) wrote :

Hi Melanie

Thanks for the investigation and the effort. Really appreciate that.

Regards
sw3

On Sat, 15 May 2021 at 7:10 am, Swe Win Aung <email address hidden> wrote:

> Hi Melanie
>
> The is for the investigation and your effort. Really appreciate that.
>
> Regards
> sw3
>
> On Sat, 15 May 2021 at 1:06 am, melanie witt <email address hidden>
> wrote:
>
>> ** Also affects: nova/train
>> Importance: Undecided
>> Status: New
>>
>> ** Also affects: nova/ussuri
>> Importance: Undecided
>> Status: New
>>
>> ** Also affects: nova/wallaby
>> Importance: Undecided
>> Status: New
>>
>> ** Also affects: nova/victoria
>> Importance: Undecided
>> Status: New
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/1927677
>>
>> Title:
>> novnc allowing open direction which could potentially be used for
>> phishing
>>
>> Status in OpenStack Compute (nova):
>> In Progress
>> Status in OpenStack Compute (nova) train series:
>> New
>> Status in OpenStack Compute (nova) ussuri series:
>> New
>> Status in OpenStack Compute (nova) victoria series:
>> New
>> Status in OpenStack Compute (nova) wallaby series:
>> New
>> Status in OpenStack Security Advisory:
>> Incomplete
>>
>> Bug description:
>> This bug report is related to Security.
>>
>> Currently novnc is allowing open direction, which could potentially be
>> used for phishing attempts
>>
>> To test.
>> https://<sites' vnc domain>//example.com/%2F..
>> include .. at the end
>>
>> For example:
>> http://vncproxy.my.domain.com//example.com/%2F..
>>
>> It will redirect to example.com. You can replace example.com with some
>> legitimate domain or spoofed domain.
>>
>> The description of the risk is
>> By modifying untrusted URL input to a malicious site, an attacker may
>> successfully launch a phishing scam and steal user credentials.
>> Because the server name in the modified link is identical to the
>> original site, phishing attempts may have a more trustworthy appearance.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions
>>
> --
> Sent from Gmail Mobile. Please excuse random autocorrects and "tpyos"
>
--
Sent from Gmail Mobile. Please excuse random autocorrects and "tpyos"

Revision history for this message
melanie witt (melwitt) wrote :

Hi sw3,

Thanks for reporting the issue!

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/c/openstack/nova/+/791297
Committed: https://opendev.org/openstack/nova/commit/781612b33282ed298f742c85dab58a075c8b793e
Submitter: "Zuul (22348)"
Branch: master

commit 781612b33282ed298f742c85dab58a075c8b793e
Author: melanie witt <email address hidden>
Date: Thu May 13 05:43:42 2021 +0000

    Reject open redirection in the console proxy

    Our console proxies (novnc, serial, spice) run in a websockify server
    whose request handler inherits from the python standard
    SimpleHTTPRequestHandler. There is a known issue [1] in the
    SimpleHTTPRequestHandler which allows open redirects by way of URLs
    in the following format:

      http://vncproxy.my.domain.com//example.com/%2F..

    which if visited, will redirect a user to example.com.

    We can intercept a request and reject requests that pass a redirection
    URL beginning with "//" by implementing the
    SimpleHTTPRequestHandler.send_head() method containing the
    vulnerability to reject such requests with a 400 Bad Request.

    This code is copied from a patch suggested in one of the issue comments
    [2].

    Closes-Bug: #1927677

    [1] https://bugs.python.org/issue32084
    [2] https://bugs.python.org/issue32084#msg306545

    Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/nova/+/791577

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/nova/+/791805

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/nova/+/791806

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/nova/+/791807

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.