<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Passport - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/passport/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 16 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/passport/feed.xml" rel="self" type="application/rss+xml"/><item><title>Laravel Passport Authentication Bypass via Client Credentials Tokens</title><link>https://feed.craftedsignal.io/briefs/2024-01-laravel-passport-auth-bypass/</link><pubDate>Tue, 16 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-laravel-passport-auth-bypass/</guid><description>Laravel Passport before v13.7.1 allows an authentication bypass via client credentials tokens, where a client's identifier can be used to impersonate a user if `Passport::$clientUuids` is set to false or the EnsureClientIsResourceOwner middleware is in use.</description><content:encoded><![CDATA[<p>Laravel Passport, a popular OAuth2 server package for Laravel applications, is vulnerable to an authentication bypass. Specifically, in versions prior to 13.7.1, when using <code>client_credentials</code> grant type tokens, the library sets the JWT <code>sub</code> claim to the client identifier. The <code>TokenGuard</code> then uses this client identifier without validating that it is actually a user ID, leading to a scenario where an attacker-controlled client ID may resolve to an existing user. The risk is amplified when <code>Passport::$clientUuids</code> is set to <code>false</code> or the <code>EnsureClientIsResourceOwner</code> middleware is in use, potentially resulting in machine-to-machine tokens inadvertently authenticating as actual users. This vulnerability allows unauthorized access to resources intended for specific users.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a Laravel application using a vulnerable version of Laravel Passport (&lt;13.7.1) that uses <code>client_credentials</code> grants.</li>
<li>The attacker registers a new OAuth2 client within the vulnerable application.</li>
<li>The attacker obtains the client ID of the registered client.</li>
<li>The attacker crafts a <code>client_credentials</code> token request to the <code>/oauth/token</code> endpoint, using the client's ID and secret.</li>
<li>The OAuth2 server generates a JWT access token. The <code>sub</code> claim in this token is set to the client ID.</li>
<li>The attacker makes a request to an API endpoint that is protected by Passport's <code>auth:api</code> guard using the crafted JWT access token.</li>
<li>The <code>TokenGuard</code> extracts the client ID from the <code>sub</code> claim of the JWT.</li>
<li>The <code>TokenGuard</code> calls <code>retrieveById()</code> using the client ID. If a user exists with an ID that matches the client ID, the <code>retrieveById()</code> method will return that user. The application incorrectly authenticates the request as that unrelated user, granting unauthorized access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can lead to significant data breaches and unauthorized access to user accounts. An attacker could gain access to sensitive information, perform actions on behalf of legitimate users, or escalate privileges within the application. The impact depends on the scope of data and actions accessible to a successfully impersonated user. This vulnerability affects all applications using Laravel Passport versions prior to 13.7.1 that have either disabled UUIDs for clients or are using the <code>EnsureClientIsResourceOwner</code> middleware in a vulnerable configuration.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to Laravel Passport version 13.7.1 or later to patch the vulnerability.</li>
<li>As a workaround, disallow the use of <code>client_credentials</code> grant type to prevent the vulnerability.</li>
<li>Review the configuration of <code>Passport::$clientUuids</code> and ensure it is set to <code>true</code> to mitigate the risk (see documentation in Overview).</li>
<li>Deploy the Sigma rule &quot;Detect Laravel Passport Authentication Bypass Attempt&quot; to detect potential exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>laravel</category><category>passport</category><category>oauth2</category><category>authentication-bypass</category></item></channel></rss>