Page MenuHomePhabricator
Create Task
Maniphest T344923

CVE-2023-45367: User can store arbitrary number of rows in cu_useragent_clienthints
Closed, ResolvedPublicSecurity
Actions

Assigned To
Dreamy_Jazz
Authored By
dom_walden
Aug 24 2023, 1:44 PM
Tags
Referenced Files
F37627145: T344923-2.patch
Aug 24 2023, 5:45 PM
F37626891: T344923.patch
Aug 24 2023, 3:42 PM
Subscribers
AGueyte
Aklapper
dom_walden
Dreamy_Jazz
gerritbot
GMikesell-WMF
kostajh
View All 13 Subscribers

Description

When sending client hints data, the brands and fullVersionList fields are a list. Each member of these lists is inserted as a separate row in the cu_useragent_clienthints table.

There does not seem to be a limit to the number of items a user can put in these lists. I was able to submit a client hints request with 10000 entries in both of these fields, and 20000 rows were inserted in to the database.

This could be a possible vector for denial of service.

Reproduction
  1. Setup a wiki with CheckUser and enable client hints (they are enabled by default, you shouldn't need to do anything)
  2. Make an edit in Firefox (which does not support client hints)
  3. Find out the revision ID of the edit you just made
  4. Run this command, changing <rev id> to the revision ID you just found. You might need to change the address of the server as well:
curl 'http://localhost:8080/w/rest.php/checkuser/v0/useragent-clienthints/revision/<rev id>' -H 'Content-Type: application/json' \
  --data-raw '{"architecture":"","bitness":"64","brands":[{"brand": "Test Brand", "version": "0"}, {"brand": "Test Brand", "version": "1"}, {"brand": "Test Brand", "version": "2"}, {"brand": "Test Brand", "version": "3"}, {"brand": "Test Brand", "version": "4"}, {"brand": "Test Brand", "version": "5"}, {"brand": "Test Brand", "version": "6"}, {"brand": "Test Brand", "version": "7"}, {"brand": "Test Brand", "version": "8"}, {"brand": "Test Brand", "version": "9"}],"fullVersionList":[{"brand": "Test Version", "version": "0"}, {"brand": "Test Version", "version": "1"}, {"brand": "Test Version", "version": "2"}, {"brand": "Test Version", "version": "3"}, {"brand": "Test Version", "version": "4"}, {"brand": "Test Version", "version": "5"}, {"brand": "Test Version", "version": "6"}, {"brand": "Test Version", "version": "7"}, {"brand": "Test Version", "version": "8"}, {"brand": "Test Version", "version": "9"}],"mobile":false,"model":"","platform":"Linux","platformVersion":"5.10.0"}'
  1. Go to the database and run SELECT * FROM cu_useragent_clienthints;
Other information

Only wmf and the master branch of CheckUser has this issue. There will be no need to keep this private after the patch is in production as only local testing wikis should have this issue until it's merged into the master branch.

Details

Risk Rating
Medium
Author Affiliation
WMF Product
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Limit number of rows returned by ::toDatabaseRowsmediawiki/extensions/CheckUsermaster+76 -0
Customize query in gerrit

Related Objects

Event Timeline

dom_walden created this task.Aug 24 2023, 1:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 24 2023, 1:44 PM
dom_walden added projects: Anti-Harassment-Team, CheckUser, http-client-hints.Aug 24 2023, 1:45 PM
dom_walden updated the task description. (Show Details)
dom_walden added subscribers: Dreamy_Jazz, Tchanders, AGueyte and 3 others.
dom_walden added a subscriber: GMikesell-WMF.Aug 24 2023, 2:12 PM
Dreamy_Jazz claimed this task.EditedAug 24 2023, 2:12 PM
Dreamy_Jazz triaged this task as High priority.

I will write a patch.

There are a few ways to get this fixed that I can see:

  1. Disable collection of Client Hints globally until this is fixed (and then a fix can be written normally)
  2. Temporarily disable collection, deploy a security patch and then re-enable collection.
  3. Deploy a security patch without disabling collection
Dreamy_Jazz added a project: Vuln-DoS.Aug 24 2023, 2:34 PM
Dreamy_Jazz added a comment.EditedAug 24 2023, 3:42 PM

Proposed patch:

T344923.patch4 KBDownload

This patch includes the fix and also adding a new testcase to an existing test to check that the fix worked. I've tested this locally and this seems to fix the issue.

Dreamy_Jazz updated the task description. (Show Details)Aug 24 2023, 3:44 PM
Dreamy_Jazz updated the task description. (Show Details)
kostajh added a comment.Aug 24 2023, 5:12 PM
In T344923#9117651, @Dreamy_Jazz wrote:

Proposed patch:

T344923.patch4 KBDownload

This patch includes the fix and also adding a new testcase to an existing test to check that the fix worked. I've tested this locally and this seems to fix the issue.

virtual +2 from me. @Dreamy_Jazz is making some minor changes to the commit message.

Dreamy_Jazz added a comment.Aug 24 2023, 5:45 PM

Modified proposed patch:

T344923-2.patch5 KBDownload

Changes were to fix the commit message and to add an inline comment to the array_splice call on the suggestion of Kosta.

kostajh added a comment.Aug 24 2023, 7:42 PM
In T344923#9118432, @Dreamy_Jazz wrote:

Modified proposed patch:

T344923-2.patch5 KBDownload

Changes were to fix the commit message and to add an inline comment to the array_splice call on the suggestion of Kosta.

+2, thank you.

kostajh added a subscriber: thcipriani.Aug 24 2023, 8:45 PM

@thcipriani just synced this.

sbassett mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).Aug 25 2023, 4:48 PM
sbassett subscribed.
In T344923#9118791, @kostajh wrote:

@thcipriani just synced this.

Is there a SAL entry for this? I couldn't find an obvious one. Also now tracking at T276237 and T340874.

kostajh added a comment.Aug 25 2023, 5:17 PM
In T344923#9120619, @sbassett wrote:
In T344923#9118791, @kostajh wrote:

@thcipriani just synced this.

Is there a SAL entry for this? I couldn't find an obvious one. Also now tracking at T276237 and T340874.

No, I don't see one.

@sbassett are we OK to proceed with creating a patch in Gerrit for this, and making this task public?

sbassett added a comment.Aug 25 2023, 5:37 PM
In T344923#9118791, @kostajh wrote:

@sbassett are we OK to proceed with creating a patch in Gerrit for this, and making this task public?

Yes, that's fine. Once an issue is patched in Wikimedia production and if it doesn't belong to a bundled component, then it can be disclosed and backported. We'll disclose it again via the end-of-quarter supplemental security release as well (T340874).

Dreamy_Jazz added a comment.Aug 25 2023, 5:48 PM
In T344923#9120796, @sbassett wrote:
In T344923#9118791, @kostajh wrote:

@sbassett are we OK to proceed with creating a patch in Gerrit for this, and making this task public?

Yes, that's fine. Once an issue is patched in Wikimedia production and if it doesn't belong to a bundled component, then it can be disclosed and backported. We'll disclose it again via the end-of-quarter supplemental security release as well (T340874).

The vulnerability has only existed in the master and wmf branches, so not sure if it needs to be backported when making the fix public as no release versions included it. This may also mean that it doesn't need to be stated in the end-of-quarter supplemental security release as the fix would not be included in any of these releases (due to the vulnerability not existing in any release version).

Dreamy_Jazz added a comment.Aug 25 2023, 5:53 PM

Patch uploaded to gerrit as https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/952482.

sbassett added a subscriber: gerritbot.Aug 25 2023, 9:14 PM
In T344923#9120855, @Dreamy_Jazz wrote:

The vulnerability has only existed in the master and wmf branches, so not sure if it needs to be backported when making the fix public as no release versions included it. This may also mean that it doesn't need to be stated in the end-of-quarter supplemental security release as the fix would not be included in any of these releases (due to the vulnerability not existing in any release version).

So at the very least there should be a public backport to master or main for any security patch, which I see you've now done in c952482. If the patch is not relevant for other supported release branches, then no further effort needs to be expended in backporting it to said branches. I'll go ahead and make this task public now as well.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 25 2023, 9:14 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett added a project: SecTeam-Processed.
Dreamy_Jazz added a comment.Aug 25 2023, 9:16 PM

I had assumed that the name "backport" applied only to patches not on the master branch. My intended meaning was that it didn't need to be cherry picked to other branches from the master branch.

Dreamy_Jazz edited projects, added Anti-Harassment-Team (AHaT Sprint 32 - Baseball Cap); removed Anti-Harassment-Team.Aug 26 2023, 8:45 AM
Dreamy_Jazz moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to Code Review 🔍 on the Anti-Harassment-Team (AHaT Sprint 32 - Baseball Cap) board.

Fix is deployed on production, but waiting for code review on the master branch.

gerritbot added a comment.Aug 26 2023, 9:04 AM

Change 952482 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Limit number of rows returned by ::toDatabaseRows

https://gerrit.wikimedia.org/r/952482

Dreamy_Jazz moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment-Team (AHaT Sprint 32 - Baseball Cap) board.Aug 26 2023, 12:05 PM
dancy subscribed.Aug 29 2023, 3:19 PM

/srv/patches/1.41.0-wmf.24/extensions/CheckUser/01-T344923-2.patch fails to apply as of Tue, 29 Aug 2023 00:55:16 UTC.

Dreamy_Jazz added a comment.EditedAug 29 2023, 3:31 PM
In T344923#9127582, @dancy wrote:

/srv/patches/1.41.0-wmf.24/extensions/CheckUser/01-T344923-2.patch fails to apply as of Tue, 29 Aug 2023 00:55:16 UTC.

This has been merged into the master branch, so should be in wmf.24. As such I presume it is safe to ignore this for wmf.24.

kostajh added a comment.Aug 29 2023, 3:31 PM
In T344923#9127582, @dancy wrote:

/srv/patches/1.41.0-wmf.24/extensions/CheckUser/01-T344923-2.patch fails to apply as of Tue, 29 Aug 2023 00:55:16 UTC.

Do we still need this patch? @thcipriani sycned it on August 24 (T344923#9118791) and the master branch patch merged on August 26 (T344923#9121451).

dancy added a comment.Aug 29 2023, 3:58 PM

Sounds like we don't need the patch anymore so I removed it.

Dreamy_Jazz added a comment.Aug 29 2023, 3:59 PM

Thanks!

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.25; 2023-09-05).Aug 30 2023, 3:01 AM
dom_walden moved this task from QA/Testing 🐞 to Done Q1 2023-2024 on the Anti-Harassment-Team (AHaT Sprint 32 - Baseball Cap) board.Sep 5 2023, 6:53 AM

I have only been able to store up to 10 rows each for brands and fullVersionList in the cu_useragent_clienthints table.

Test environment: local docker mysql CheckUser 2.5 (dfa9b11) 20:20, 4 September 2023.

dancy unsubscribed.Sep 5 2023, 3:35 PM
kostajh moved this task from Backlog to Release 0 (Pilot wikis) on the http-client-hints board.Sep 26 2023, 11:31 AM
kostajh edited projects, added http-client-hints (Release 0 (Pilot wikis)); removed http-client-hints.
kostajh closed this task as Resolved.Sep 26 2023, 7:12 PM
mmartorana renamed this task from User can store arbitrary number of rows in cu_useragent_clienthints to CVE-2023-45367: User can store arbitrary number of rows in cu_useragent_clienthints.Oct 10 2023, 5:29 PM
Dreamy_Jazz added a subscriber: mmartorana.Oct 10 2023, 8:00 PM

@mmartorana it seems that that CVE number has an incorrect description. This security issue was never present in any mediawki release. Could the CVE be updated? Thanks.

sbassett added a comment.Oct 11 2023, 1:19 PM
In T344923#9240530, @Dreamy_Jazz wrote:

@mmartorana it seems that that CVE number has an incorrect description. This security issue was never present in any mediawki release. Could the CVE be updated? Thanks.

CVEs can be updated via https://cveform.mitre.org/, with the "Request an update to an existing CVE Entry" option. However such updates can take several weeks or even months.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits