Crabbox Authentication Bypass Vulnerability Allowing Privilege Escalation

A vulnerability allowing authentication bypass has been identified in Crabbox versions prior to 0.9.0. The issue arises in the coordinator user-token verification process, where the verifyUserToken() function improperly accepts payloads with admin claims. This flaw enables attackers to escalate privileges. An attacker with a shared non-admin token can create a user-token payload that includes an admin claim, sign it using HMAC-SHA256, and present it to admin-only coordinator routes. This exploitation grants full administrative access on the coordinator, including visibility into leases, management of pool states, and the ability to force release operations.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, granting attackers full administrative rights on the coordinator, including access to sensitive lease information, control over pool states, and the ability to forcibly release resources.

Reproduction

To reproduce this vulnerability, first obtain a shared non-admin token. Then, craft a user-token payload that includes an admin claim set to true. Sign this payload using HMAC-SHA256 and present it to an admin-only coordinator route. The request will be authorized, bypassing the intended admin verification.

Remediation

Users are advised to update to Crabbox version 0.9.0 or later, where this vulnerability has been fixed.