Fossorial Pangolin Privilege Escalation Vulnerability via Insecure 2FA Defaults

A privilege escalation vulnerability has been identified in Fossorial Pangolin versions through 1.6.2. The issue arises from an insecure default configuration in the authentication system, specifically within the two-factor authentication (2FA) component. This flaw allows remote attackers to bypass PIN authentication and access resources protected by PIN codes. The vulnerability stems from the authentication rate-limiting settings not being properly configured or documented, leaving endpoints vulnerable to exploitation.

Impact

Exploitation of this vulnerability allows for unauthorized access to PIN-protected resources and bypassing of two-factor authentication, potentially leading to unauthorized actions or access within the application.

Reproduction

The vulnerability can be reproduced by deploying Fossorial Pangolin without applying the necessary rate limit configurations for authentication. Once the application is running with the default global rate limit of 500 requests per minute per IP and path, an attacker can exploit the lack of specific rate limiting on PIN-based authentication and 2FA verification. This can be done by sending requests to the '/resource/:resourceId/pincode' endpoint to guess PIN codes, or by bypassing 2FA on the '/login' endpoint, effectively escalating privileges.

Remediation

Users are advised to manually configure the authentication rate limits in accordance with the application's documentation, ensuring that PIN-based and 2FA authentication endpoints are adequately protected.