ServiceStack is affected by a signature verification bypass in the
ServiceStack.Auth.JwtAuthProviderReader method, which could be used to bypass the authentication mechanisms and/or to elevate privileges.
This security advisory is referred to a vulnerability found and resolved internally by ServiceStack’s development team, read the “Re-discovering a JWT Authentication Bypass in ServiceStack” for more information.
“ServiceStack is an open-source framework designed to be an alternative to the WCF, ASP.NET MVC, and ASP.NET Web API frameworks. It supports REST and SOAP endpoints, autoconfiguration of data formats, inversion of control containers, object-relational mapping, caching mechanisms, and much more.” For more information visit https://servicestack.net/.
The verification of a
JWT token consists of the server extracting the
header and the
payload of the token from a given request, re-calculating the signature server-side, and finally comparing the calculated signature with the one in the request through the
VerifyPayload function make usage of the following
The method is called with the server-side generated signature as
bytes and the request signature as
As no length check is performed and the check is pre-set to the success value (
var compare = 0), it is possible to bypass the whole check by submitting an empty signature. If
0 then no checks are performed and the function will always return
An attacker can forge a valid JWT token with arbitrary content.
Upgrade ServiceStack to version 5.9.2 or later.
This advisory was first published on https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/
2 November 2020