[SECURITY] Synchronize admin tools session with backend user session

Admin tools sessions are revoked in case the initiatin backend user
does not have admin or system maintainer privileges anymore. Besides
that, revoking backend user interface sessions now also revokes access
to admin tools. Standalone install tool is not affected.

Resolves: #92019
Releases: main, 11.5, 10.4
Change-Id: I367098abd632fa34caa59e4e165f5ab1916894c5
Security-Bulletin: TYPO3-CORE-SA-2022-005
Security-References: CVE-2022-31050
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74905
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

typo3/sysext/install/Classes/Controller/BackendModuleController.php

@@ -175,7 +175,8 @@ protected function getBackendUserConfirmationUri(array $parameters): Uri
      */
     protected function setAuthorizedAndRedirect(string $controller): ResponseInterface
     {
-        $this->getSessionService()->setAuthorizedBackendSession();
+        $userSession = $this->getBackendUser()->getSession();
+        $this->getSessionService()->setAuthorizedBackendSession($userSession);
         $redirectLocation = PathUtility::getAbsoluteWebPath('install.php?install[controller]=' . $controller . '&install[context]=backend');
         return new RedirectResponse($redirectLocation, 303);
     }

typo3/sysext/install/Classes/Middleware/Maintenance.php

@@ -143,6 +143,21 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
 
         // session related actions
         $session = new SessionService();
+
+        // the backend user has an active session but the admin / maintainer
+        // rights have been revoked or the user was disabled or deleted in the meantime
+        if ($session->isAuthorizedBackendUserSession() && !$session->hasActiveBackendUserRoleAndSession()) {
+            // log out the user and destroy the session
+            $session->resetSession();
+            $session->destroySession();
+            $formProtection = FormProtectionFactory::get(
+                InstallToolFormProtection::class
+            );
+            $formProtection->clean();
+
+            return new HtmlResponse('', 403);
+        }
+
         if ($actionName === 'preAccessCheck') {
             $response = new JsonResponse([
                 'installToolLocked' => !$this->checkEnableInstallToolFile(),

typo3/sysext/install/Classes/Service/SessionService.php

@@ -17,8 +17,15 @@
 
 use Symfony\Component\HttpFoundation\Cookie;
 use TYPO3\CMS\Core\Core\Environment;
+use TYPO3\CMS\Core\Database\ConnectionPool;
+use TYPO3\CMS\Core\Database\Query\Restriction\DefaultRestrictionContainer;
+use TYPO3\CMS\Core\Database\Query\Restriction\RootLevelRestriction;
 use TYPO3\CMS\Core\Messaging\FlashMessage;
 use TYPO3\CMS\Core\Security\BlockSerializationTrait;
+use TYPO3\CMS\Core\Session\Backend\HashableSessionBackendInterface;
+use TYPO3\CMS\Core\Session\Backend\SessionBackendInterface;
+use TYPO3\CMS\Core\Session\SessionManager;
+use TYPO3\CMS\Core\Session\UserSession;
 use TYPO3\CMS\Core\SingletonInterface;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Install\Exception;
@@ -188,14 +195,28 @@ public function setAuthorized()
     /**
      * Marks this session as an "authorized by backend user" one.
      * This is called by BackendModuleController from backend context.
+     *
+     * @param UserSession $userSession session of the current backend user
      */
-    public function setAuthorizedBackendSession()
+    public function setAuthorizedBackendSession(UserSession $userSession)
     {
+        $nonce = bin2hex(random_bytes(20));
+        $sessionBackend = $this->getBackendUserSessionBackend();
+        // use hash mechanism of session backend, or pass plain value through generic hmac
+        $sessionHmac = $sessionBackend instanceof HashableSessionBackendInterface
+            ? $sessionBackend->hash($userSession->getIdentifier())
+            : hash_hmac('sha256', $userSession->getIdentifier(), $nonce);
+
         $_SESSION['authorized'] = true;
         $_SESSION['lastSessionId'] = time();
         $_SESSION['tstamp'] = time();
         $_SESSION['expires'] = time() + $this->expireTimeInMinutes * 60;
         $_SESSION['isBackendSession'] = true;
+        $_SESSION['backendUserSession'] = [
+            'nonce' => $nonce,
+            'userId' => $userSession->getUserId(),
+            'hmac' => $sessionHmac,
+        ];
         // Renew the session id to avoid session fixation
         $this->renewSession();
     }
@@ -222,7 +243,7 @@ public function isAuthorized()
      *
      * @return bool TRUE if this session has been authorized before and initialized by a backend system maintainer
      */
-    public function isAuthorizedBackendUserSession()
+    public function isAuthorizedBackendUserSession(): bool
     {
         if (!$this->hasSessionCookie()) {
             return false;
@@ -234,6 +255,49 @@ public function isAuthorizedBackendUserSession()
         return !$this->isExpired();
     }
 
+    /**
+     * Evaluates whether the backend user that initiated this admin tool session,
+     * has an active role (is still admin & system maintainer) and has an active backend user interface session.
+     *
+     * @return bool whether the backend user has an active role and backend user interface session
+     */
+    public function hasActiveBackendUserRoleAndSession(): bool
+    {
+        // @see \TYPO3\CMS\Install\Controller\BackendModuleController::setAuthorizedAndRedirect()
+        $backendUserSession = $this->getBackendUserSession();
+        $backendUserRecord = $this->getBackendUserRecord($backendUserSession['userId']);
+        if ($backendUserRecord === null || empty($backendUserRecord['uid'])) {
+            return false;
+        }
+        $isAdmin = (($backendUserRecord['admin'] ?? 0) & 1) === 1;
+        $systemMaintainers = array_map('intval', $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? []);
+        // stop here, in case the current admin tool session does not belong to a backend user having admin & maintainer privileges
+        if (!$isAdmin || !in_array((int)$backendUserRecord['uid'], $systemMaintainers, true)) {
+            return false;
+        }
+
+        $sessionBackend = $this->getBackendUserSessionBackend();
+        foreach ($sessionBackend->getAll() as $sessionRecord) {
+            $sessionUserId = (int)($sessionRecord['ses_userid'] ?? 0);
+            // skip, in case backend user id does not match
+            if ($backendUserSession['userId'] !== $sessionUserId) {
+                continue;
+            }
+            $sessionId = (string)($sessionRecord['ses_id'] ?? '');
+            // use persisted hashed `ses_id` directly, or pass through hmac for plain values
+            $sessionHmac = $sessionBackend instanceof HashableSessionBackendInterface
+                ? $sessionId
+                : hash_hmac('sha256', $sessionId, $backendUserSession['nonce']);
+            // skip, in case backend user session id does not match
+            if ($backendUserSession['hmac'] !== $sessionHmac) {
+                continue;
+            }
+            // backend user id and session id matched correctly
+            return true;
+        }
+        return false;
+    }
+
     /**
      * Check if our session is expired.
      * Useful only right after a FALSE "isAuthorized" to see if this is the
@@ -299,6 +363,20 @@ public function getMessagesAndFlush()
         return $messages;
     }
 
+    /**
+     * @return array{userId: int, nonce: string, hmac: string} backend user session references
+     */
+    public function getBackendUserSession(): array
+    {
+        if (empty($_SESSION['backendUserSession'])) {
+            throw new Exception(
+                'The backend user session is only available if invoked via the backend user interface.',
+                1624879295
+            );
+        }
+        return $_SESSION['backendUserSession'];
+    }
+
     /**
      * Check if php session.auto_start is enabled
      *
@@ -323,4 +401,52 @@ protected function getIniValueBoolean($configOption)
             [FILTER_REQUIRE_SCALAR, FILTER_NULL_ON_FAILURE]
         );
     }
+
+    /**
+     * Fetching a user record with uid=$uid.
+     * Functionally similar to TYPO3\CMS\Core\Authentication\BackendUserAuthentication::setBeUserByUid().
+     *
+     * @param int $uid The UID of the backend user
+     * @return array<string, int>|null The backend user record or NULL
+     */
+    protected function getBackendUserRecord(int $uid): ?array
+    {
+        $restrictionContainer = GeneralUtility::makeInstance(DefaultRestrictionContainer::class);
+        $restrictionContainer->add(GeneralUtility::makeInstance(RootLevelRestriction::class, ['be_users']));
+
+        $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('be_users');
+        $queryBuilder->setRestrictions($restrictionContainer);
+        $queryBuilder->select('uid', 'admin')
+            ->from('be_users')
+            ->where($queryBuilder->expr()->eq('uid', $queryBuilder->createNamedParameter($uid, \PDO::PARAM_INT)));
+
+        $resetBeUsersTca = false;
+        if (!isset($GLOBALS['TCA']['be_users'])) {
+            // The admin tool intentionally does not load any TCA information at this time.
+            // The database restictions, needs the enablecolumns TCA information
+            // for 'be_users' to load the user correctly.
+            // That is why this part of the TCA ($GLOBALS['TCA']['be_users']['ctrl']['enablecolumns'])
+            // is simulated.
+            // The simulation state will be removed later to avoid unexpected side effects.
+            $GLOBALS['TCA']['be_users']['ctrl']['enablecolumns'] = [
+                'rootLevel' => 1,
+                'deleted' => 'deleted',
+                'disabled' => 'disable',
+                'starttime' => 'starttime',
+                'endtime' => 'endtime',
+            ];
+            $resetBeUsersTca = true;
+        }
+        $result = $queryBuilder->executeQuery()->fetchAssociative();
+        if ($resetBeUsersTca) {
+            unset($GLOBALS['TCA']['be_users']);
+        }
+
+        return is_array($result) ? $result : null;
+    }
+
+    protected function getBackendUserSessionBackend(): SessionBackendInterface
+    {
+        return GeneralUtility::makeInstance(SessionManager::class)->getSessionBackend('BE');
+    }
 }

typo3/sysext/install/Tests/Functional/Controller/BackendModuleControllerTest.php

@@ -19,6 +19,7 @@
 
 use TYPO3\CMS\Backend\Routing\UriBuilder;
 use TYPO3\CMS\Backend\Template\ModuleTemplateFactory;
+use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
 use TYPO3\CMS\Core\Core\ApplicationContext;
 use TYPO3\CMS\Core\Core\Environment;
 use TYPO3\CMS\Install\Controller\BackendModuleController;
@@ -84,7 +85,13 @@ public function environmentContextIsRespectedTest(string $module): void
             Environment::isWindows() ? 'WINDOWS' : 'UNIX'
         );
 
-        // Authorized redirect to the install tool is performed, sudo mode is not required
+        // Authorized redirect to the admin tool is performed
+        // sudo mode is not required (due to development context)
+        $GLOBALS['BE_USER'] = new BackendUserAuthentication();
+        // using anonymous user session, which is fine for this test case
+        $GLOBALS['BE_USER']->initializeUserSessionManager();
+        $GLOBALS['BE_USER']->user = ['uid' => 1];
+
         $response = $subject->{$action}();
         self::assertEquals(303, $response->getStatusCode());
         self::assertNotEmpty($response->getHeader('location'));