Summary
When fetching remote statuses, Mastodon doesn't check that the response from the remote server has a Content-Type header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads.
Details
Some federated server implementations allow their users to upload arbitrary documents, including JSON documents, as attachments to posts.
On the other hand, Mastodon's FetchRemoteStatusService did not check that the response from the remote server had a Content-Type header value of the Activity Streams media type (i.e. application/ld+json with a profile value of https://www.w3.org/ns/activitystreams, or application/activity+json). This implies that a Mastodon server can fetch a user-uploaded document on a remote server and accept it as an Activity Streams object unless it's otherwise malformed.
FetchRemoteStatusService#trustworthy_attribution? trusts the attributedTo property of a fetched object as long as the domain of the attributed actor is the same as the original request URI. Consequently, a threat actor with a low-privileged account on a remote server can upload an Activity Streams document with a crafted attributedTo property to the remote server and make a Mastodon server fetch it in order to impersonate another account on the same remote server.
FetchRemoteActorService doesn't check the Content-Type either. But it requires that the remote account is resolvable from a canonical acct: URI via WebFinger, so the service would reject a user-uploaded actor objects (unless the threat actor somehow manages to trick the remote server's well-known endpoint into resolving to the fake actor document).
JsonLdHelper#fetch_resource rejects the fetched resource if the id of the top-level node of the JSON-LD document doesn't match the original request URL, which increases complexity of the exploit as the threat actor needs an ability to predict the URI of the uploaded documents before uploading them or to edit the uploaded documents without changing the URI. For example, Misskey uses UUIDs in the URIs of uploaded documents so it's hard to impersonate accounts on a Misskey instance against Mastodon.
Impact
The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties:
- Allows the attacker to register an account
- Accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors
- Serves user-uploaded document in response to requests with an
Accept header value of the Activity Streams media type
The vulnerability may also affect accounts on server implementations that don't normally serve arbitrary user-uploaded documents, in combination with a vulnerability of the other implementation like GHSA-9928-3cp5-93fm which can make the server serve arbitrary document,
tesaguri Reporter
Summary
When fetching remote statuses, Mastodon doesn't check that the response from the remote server has a
Content-Typeheader value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads.Details
Some federated server implementations allow their users to upload arbitrary documents, including JSON documents, as attachments to posts.
On the other hand, Mastodon's
FetchRemoteStatusServicedid not check that the response from the remote server had aContent-Typeheader value of the Activity Streams media type (i.e.application/ld+jsonwith a profile value ofhttps://www.w3.org/ns/activitystreams, orapplication/activity+json). This implies that a Mastodon server can fetch a user-uploaded document on a remote server and accept it as an Activity Streams object unless it's otherwise malformed.FetchRemoteStatusService#trustworthy_attribution?trusts theattributedToproperty of a fetched object as long as the domain of the attributed actor is the same as the original request URI. Consequently, a threat actor with a low-privileged account on a remote server can upload an Activity Streams document with a craftedattributedToproperty to the remote server and make a Mastodon server fetch it in order to impersonate another account on the same remote server.FetchRemoteActorServicedoesn't check theContent-Typeeither. But it requires that the remote account is resolvable from a canonicalacct:URI via WebFinger, so the service would reject a user-uploaded actor objects (unless the threat actor somehow manages to trick the remote server's well-known endpoint into resolving to the fake actor document).JsonLdHelper#fetch_resourcerejects the fetched resource if theidof the top-level node of the JSON-LD document doesn't match the original request URL, which increases complexity of the exploit as the threat actor needs an ability to predict the URI of the uploaded documents before uploading them or to edit the uploaded documents without changing the URI. For example, Misskey uses UUIDs in the URIs of uploaded documents so it's hard to impersonate accounts on a Misskey instance against Mastodon.Impact
The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties:
Acceptheader value of the Activity Streams media typeThe vulnerability may also affect accounts on server implementations that don't normally serve arbitrary user-uploaded documents, in combination with a vulnerability of the other implementation like GHSA-9928-3cp5-93fm which can make the server serve arbitrary document,