Technical

Red Hat SSO 7.6 Host Header Injection Vulnerability: Discovery By Packetlabs Tester

Authored by Mark Roy, ethical hacker at Packetlabs. Originally posted on Medium.

At the time of discovery, this issue posed a high-risk security concern for a client, who was unaware of the vulnerability.

This overview was drafted in the interest of raising awareness and helping others mitigate similar risks:

Vulnerability Summary of Red Hat SSO Version 7.6

Red Hat SSO version 7.6 is vulnerable to a Host header injection attack. This issue occurs because the application constructs URLs based on the HTTP Host header, which can be manipulated by the request sender.

As a result, an attacker could tamper with the URLs in password reset requests, redirecting users to malicious websites. By doing this, the attacker can intercept password reset tokens and gain control over the victim’s account.

Red Hat SSO Version 7.6: Attack Overview

A password reset request is performed and the Host header is modified to a Burp Collaborator address.

A password reset request is performed and the Host header is modified to a Burp Collaborator address.

The email received by the user contains the modified URL, compromising the integrity of the application’s password reset process.

The email received by the user contains the modified URL, compromising the integrity of the application’s password reset process.

When the user accesses the link, the reset key is logged on the attacker’s web server.

When the user accesses the link, the reset key is logged on the attacker’s web server.

The key can be used to reset the password on the victim’s account.

Source Code Review

Since RedHat SSO is open source, we can review the code to locate the vulnerability.

When we perform the password reset request, we receive a standard response from the application. We can search for this string as a starting point to locate the relevant code.

Source code review.

We find references to the string in several classes, but PasswordResetTest seems like a good starting point. When reviewing the code, we notice an event called SEND_RESET_PASSWORD.

We find references to the string in several classes, but PasswordResetTest seems like a good starting point. When reviewing the code, we notice an event called SEND_RESET_PASSWORD.

We can search the code for additional references to this event. Among the results, we find another class called ResetCredentialEmail.

Within this class, we can locate the code responsible for generating the password reset URL on line 95. By reviewing this code, we learn that the application is using UriBuilder to construct the URL, which relies on the value of context.getUriInfo() and it includes the Host header of the incoming HTTP request.

y reviewing this code, we learn that the application is using UriBuilder to construct the URL, which relies on the value of context.getUriInfo() and it includes the Host header of the incoming HTTP request.

We can confirm the presence of the vulnerable code by attaching a debugger to our SSO instance and pausing the execution after the reset URL is generated. This allows us to inspect the generated URL, as shown in the screenshot, where the manipulated Burp Collaborator address is visible, confirming the vulnerability.

This allows us to inspect the generated URL, as shown in the screenshot, where the manipulated Burp Collaborator address is visible, confirming the vulnerability.

Mitigation of Host Header Injection Attacks

While the root cause of this vulnerability lies in the application code, you can reduce the risk by applying a temporary fix through the JBoss configuration. By modifying the standalone.xml configuration file, we can add a filter to validate the Host header of incoming requests.

  • Open

    standalone.xml

    and locate the section containing the Undertow subsystem.

  • In this example, we’ll add an

    expression-filter

    to check that the Host header matches either:

    localhost:8080

    or

    localhost

    If the Host header does not match, the server will return a 403 error. This would read as the following:

<expression-filter name="host-checker" expression="not(equals(%{i,HOST}, 'localhost:8080') or equals(%{i,HOST}, 'localhost')) -> response-code(403)"/>

3. Within the <host> element, add a reference to this filter:

<host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <http-invoker security-realm="ApplicationRealm"/> <filter-ref name="host-checker"/> </host>

With this configuration applied, any attempt to exploit the Host header injection vulnerability will be blocked, resulting in the web server returning a 403 response.

With this configuration applied, any attempt to exploit the Host header injection vulnerability will be blocked, resulting in the web server returning a 403 response.

Red Hat SSO Version 7.6 Vulnerability Summary: FAQs

Q: What is Red Hat SSO and what does it do?

A: Red Hat Single Sign-On provides Web single sign-on and identity federation based on SAML 2.0, OpenID Connect and OAuth 2.0 specifications.


Q: What is a Burp Collaborator address?

A: Burp Collaborator is an external service that Burp can use to help discover many kinds of vulnerabilities, such as external service interaction and out-of-band XSS.


Q: What does the UriBuilder class do?

A: The UriBuilder class provides a convenient way to modify the contents of a Uri instance without creating a new Uri instance for each modification. The UriBuilder properties provide read/write access to the read-only Uri properties so that they can be modified.

Conclusion

As a CREST and SOC 2 Type II accredited penetration testing firm, Packetlabs is made up of over 30 OSCP-minimum ethical hackers like Mark who utilize Packetlabs’ best in class methodologies to go well beyond industry standards. We offer several solutions that push the envelope on security–and guarantee full regulatory and cyber insurance compliance.

Let's Connect

Share your details, and a member of our team will be in touch soon.

Explore in-depth resources from our ethical hackers to assist you and your team’s cyber-related decisions.

See All

September 13 - Blog

Why Multi-Factor Authentication is Not Enough

Knowing is half the battle, and the use and abuse of common frameworks shed insight into what defenders need to do to build defense in depth.

November 19 - Blog

The Top Cybersecurity Statistics for 2024

The top cybersecurity statistics for 2024 can help inform your organization's security strategies for 2025 and beyond. Learn more today.

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

Packetlabs Company Logo
    • Toronto | HQ
    • 401 Bay Street, Suite 1600
    • Toronto, Ontario, Canada
    • M5H 2Y4
    • San Francisco | HQ
    • 580 California Street, 12th floor
    • San Francisco, CA, USA
    • 94104