parisneo lollms Improper Access Control Vulnerability in Session Management Allows Admin Privilege Escalation

A vulnerability in session management has been identified in parisneo/lollms version 2.1.0. The issue arises from the use of a weak secret key for signing JSON Web Tokens (JWT), which creates a loophole for improper access control. This vulnerability enables attackers to conduct offline brute-force attacks to recover the secret key. Once obtained, the key can be used to forge administrative tokens by altering the JWT payload and resigning it with the cracked secret. This exploitation allows unauthorized users to escalate privileges, impersonate administrators, and access restricted endpoints.

Impact

Exploitation of this vulnerability leads to unauthorized admin account takeover, allowing access to sensitive data and administrative functions.

Reproduction

To reproduce this vulnerability, log into the application with a standard user account and intercept the JWT token using a proxy tool like BurpSuite. After capturing the token, analyze it to extract the payload, which includes the username. Then, perform an offline brute-force attack on the JWT signature using a tool like John the Ripper or crackdone, targeting the weak secret key. Once the secret is cracked, forge a new JWT token by modifying the payload to include admin privileges and resigning it with the recovered secret. Finally, replace the original token with the forged one and access an administrative endpoint to verify the privilege escalation.

Remediation

Users who have already installed the application with a weak key can benefit from the automatic key rotation feature in version 2.2.0, which updates the secret key to a secure value. For new installations, the updated installation scripts ensure the use of a strong, cryptographically secure key.