Microsoft UFO WebSocket Role Spoofing Vulnerability Allows Peer Task Hijacking

A vulnerability in the Microsoft UFO open-source framework, specifically in versions 3.0.1-4-ge2626659, allows authenticated WebSocket clients to spoof roles and identities, leading to unauthorized task execution on connected devices. The WebSocket control plane improperly trusts client-supplied identity and role fields in task messages. This flaw enables a client registered as a normal device to send messages claiming a higher-privilege constellation role, targeting other devices and hijacking their task execution. Additionally, the vulnerability allows for the overwriting of existing client registrations, further facilitating unauthorized actions.

Impact

Exploitation of this vulnerability allows for unauthorized role escalation from 'device' to 'constellation' at the message layer, enabling peer task hijacking. Attacker-controlled tasks can be dispatched to another connected device, executed in the context of that device's automation, and potentially disrupt active automation sessions. The vulnerability also exposes task results and sensitive device data from the targeted device to the attacker. Furthermore, the same client can overwrite live mappings of other devices by reusing a 'client_id', replacing the previous device's WebSocket, role, and task protocol.

Reproduction

The vulnerability can be reproduced by registering a WebSocket connection as a normal 'device'. Once connected, the client can send a 'TASK' message that includes a forged 'client_type' value of 'constellation' and a 'target_id' that corresponds to a victim device. The server will accept the spoofed role and dispatch the task to the targeted device, executing it in the context of that device's automation. Additionally, the vulnerability allows for the registration of duplicate 'client_id's', which will overwrite the existing live client's WebSocket, role, and task protocol.