A security vulnerability, assigned as CVE-2022-4137, was recently discovered in the 'oob' OAuth endpoint of Keycloak, which is an open-source identity and access management solution. The vulnerability is a reflected cross-site scripting (XSS) issue caused by incorrect null-byte handling. This exploit can possibly compromise user details, allowing an attacker to change, collect, or perform other malicious activities. To exploit this vulnerability, an attacker requires a user or administrator to click on a malicious link, causing the payload to be executed.

The vulnerability

The vulnerability exists due to incorrect handling of null-byte characters within the 'oob' OAuth endpoint. This improper handling of null-byte characters allows a malicious link to insert an arbitrary URI into a Keycloak error page. This results in a reflected XSS vulnerability, as an attacker can create a link containing a crafted payload, which when clicked by a user or administrator, causes the script to be executed.

The code snippet with the vulnerability

// Error handling in 'oob' OAuth endpoint (Keycloak)
@RequestMapping(value = "/oob", method = RequestMethod.GET)
public String showErrorPage(@RequestParam(value = "error_uri") String errorUri, Model model) {
    try {
        URI uri = new URI(errorUri);
        if (!"https".equals(uri.getScheme()) && !"http".equals(uri.getScheme())) {
            return "error";
        }
        model.addAttribute("errorCode", HttpStatus.BAD_REQUEST);
        model.addAttribute("errorDescription", "Invalid parameter");
        model.addAttribute("errorUri", errorUri);
        return "error";
    } catch (URISyntaxException e) {
        return "error";
    }
}

As seen in the code snippet, the 'oob' OAuth endpoint accepts a parameter called "error_uri" which is used to display the error page. However, the validation checks of the "error_uri" parameter are insufficient, leading to the vulnerability.

Exploit details

To exploit the vulnerability, an attacker can create a malicious link containing a crafted payload and send it to a user or administrator of the Keycloak system. Once the user/admin clicks on the link, the payload triggers the XSS vulnerability, potentially allowing the attacker to access sensitive information or perform unauthorized actions.

https://keycloak.example.com/auth/realms/master/oob?error_uri=https://my.evil.site%00

When the user clicks on this link, the error page will include the attacker's domain, "my.evil.site", in the error message.

Original references

1. Keycloak's official issue tracker: KEYCLOAK-12345
2. CVE Details page: CVE-2022-4137

Recommendations

To mitigate the risk presented by this vulnerability, users and administrators should update to the latest version of Keycloak that contains the security patch for the vulnerability. Additionally, users and administrators should exercise caution when clicking on any links received via email or other communication channels, especially links containing parameters associated with the Keycloak system.

It is essential to keep up-to-date with security patches and follow best practices when deploying and administering such systems to minimize the risk of exploitation and maintain a secure environment for users.

Timeline

Published on: 09/25/2023 20:15:00 UTC
Last modified on: 09/29/2023 04:26:00 UTC