Exploitation of a vulnerability in Cisco's node-jose, a JavaScript library created to manage JWT.
This vulnerability in Cisco's node-jose allows an attacker to forge malicious tokens.
JWT allows users to embed public keys (using the jwk value) inside the header of the token. However, the application should never trust those keys as an attacker can provide his own key and sign the message using the corresponding private key.
This issue impacts version prior to 0.11.
If we look at the changes introduced to fix this issue https://github.com/cisco/node-jose/commit/959a61d707ed2c8cf6582139a5605119283e4acb, one file is particularly interesting (test/fixtures/jws.embedded_jwk.json)
:
"signing": {
"protected": {
"alg": "PS256",
"jwk": {
"kty": "RSA",
"kid": "bilbo.baggins@hobbiton.example",
"use": "sig",
"n": "n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT-O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqVwGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuCLqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5gHdrNP5zw",
"e": "AQAB"
}
},
"protected_b64u": "eyJhbGciOiJQUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJraWQiOiJiaWxiby5iYWdnaW5zQGhvYmJpdG9uLmV4YW1wbGUiLCJ1c2UiOiJzaWciLCJuIjoibjRFUHRBT0NjOUFsa2VRSFB6SFN0Z0FiZ3M3YlRaTHdVQlpkUjhfS3VLUEVITGQ0ckhWVGVULU8tWFYyalJvamROaHhKV1REdk5kN25xUTBWRWlaUUh6X0FKbVNDcE1hSk1SQlNGS3JLYjJ3cVZ3R1VfTnNZT1lMLVF0aVdOMmxiemNFZTZYQzBkQXByNXlkUUxySHFrSEhpZzNSQm9yZGFaNkFqLW9CSHFGRUhZcFBlN1RwZS1PZlZmSGQxRTZjUzZNMUZaY0QxTk5MWUQ1bEZIcFBJOWJUd0psc2RlM3VoR3FDMFpDdUVIZzhsaHp3T0hydElRYlMwRlZiYjlrMy10VlRVNGZnXzNMX3ZuaVVGQUt3dUNMcUtuUzJCWXdkcV9telNuYkxZN2hfcWl4b1I3amlnM19fa1JodWF4d1VrUno1aWFpUWtxZ2M1Z0hkck5QNXp3IiwiZSI6IkFRQUIifX0",
"sig-input": "eyJhbGciOiJQUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJraWQiOiJiaWxiby5iYWdnaW5zQGhvYmJpdG9uLmV4YW1wbGUiLCJ1c2UiOiJzaWciLCJuIjoibjRFUHRBT0NjOUFsa2VRSFB6SFN0Z0FiZ3M3YlRaTHdVQlpkUjhfS3VLUEVITGQ0ckhWVGVULU8tWFYyalJvamROaHhKV1REdk5kN25xUTBWRWlaUUh6X0FKbVNDcE1hSk1SQlNGS3JLYjJ3cVZ3R1VfTnNZT1lMLVF0aVdOMmxiemNFZTZYQzBkQXByNXlkUUxySHFrSEhpZzNSQm9yZGFaNkFqLW9CSHFGRUhZcFBlN1RwZS1PZlZmSGQxRTZjUzZNMUZaY0QxTk5MWUQ1bEZIcFBJOWJUd0psc2RlM3VoR3FDMFpDdUVIZzhsaHp3T0hydElRYlMwRlZiYjlrMy10VlRVNGZnXzNMX3ZuaVVGQUt3dUNMcUtuUzJCWXdkcV9telNuYkxZN2hfcWl4b1I3amlnM19fa1JodWF4d1VrUno1aWFpUWtxZ2M1Z0hkck5QNXp3IiwiZSI6IkFRQUIifX0.SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4",
"sig": "XslzHQKM0UogsxugMxj0vmFhNijnmCksPyQ0x8SQ5xC9rEg4_3n_22bdJkM6CQWiTSDUuBCgXo3eqb6GhoPnYgnlGouDy0dIeaihl5Nr85uncW29I39OEZel8UtVGTfOxwssibymheBjKVp0_umkQANicz2_JTLGJQ42BgDVq6L2ZyrqIu7onr9B1XC-O9uzN2xoDfRwK7jCJjH1TPH09W9Pi1iLiXuf7liKH5dBDFzfjCqS4p3PQ6KtdT_gMTOg35PErxFfoi_53cr4l-rUv5ZkdcmIadGjMHDBVpfKSHhkZRVrvR0q6Go6TyvzL5l_hONYKKn09pkhFDjN9JvZeQ"
Especially the value sig-input
, which, once decoded, give us the following data:
{
"alg":"PS256",
"jwk": {
"kty":"RSA",
"kid":"bilbo.baggins@hobbiton.example",
"use":"sig",
"n":"n4EPtAOCc9Alke...........rNP5zw",
"e":"AQAB"
}
}
This is the format we will need to follow to get the right header for our payload to work.
- Create a private RSA key using
openssl
. - Extract
n
ande
from the public composent of the private key you just created. - Sign your payload using the same private key.
- You need to change the
n
ande
values in your payload to make sure they match the private key you're using. - You need to create the right payload for the body of your token.
- You need to make sure the algorithm
alg
is the one you're using to sign. Most likely you will need to change the value toRS256
.