Summary
When fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a Content-Type header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads.
Details
ApResolverService.prototype.resolve doesn't check that the response from the remote server has a Content-Type header value of the Activity Streams media type (i.e. application/ld+json with a profile value of https://www.w3.org/ns/activitystreams, or application/activity+json). This implies that a Misskey instance can fetch a user-uploaded document on a remote server (including a document on Drive of another Misskey instance) and accept it as an Activity Streams object unless it's otherwise malformed.
The ap/show API endpoint refetches the id of the top-level node of the fetched JSON-LD document when it doesn't match the original request URL, which should have increased complexity of the exploit as the threat actor would need an ability to predict the URI of the uploaded documents before uploading them or to edit the uploaded documents without changing the URI. Misskey itself uses UUIDs in the URIs of uploaded documents, so it should have been hard to impersonate accounts on a Misskey instance via ap/show.
However, that check is not performed by ApNoteService.prototype.createNote, so it can be bypassed by creating an intermediary Note object that references the URL of the uploaded document and make a Misskey instance fetch the intermediary object.
The vulnerability can be exploited in the following ways:
Spoofing the attributedTo property for impersonation
A threat actor can impersonate a remote account by uploading documents with a crafted attributedTo property which equals the Activity Streams actor URI of the victim account.
Creating fake accounts and takeover of remote accounts
An threat actor can create fake (pseudo) accounts by uploading crafted actor objects to a remote server.
The id of the fake actor can be the URI of another legitimate actor on the remote server, if the Misskey instance hasn't fetched that actor before. So the exploit enables a takeover of the inbox of an existing remote account and interception of activities (including private ones) local users send to the remote account.
Impact
The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties:
- Allows the threat actor to register an account
- Accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors
- Serves user-uploaded document in response to requests with an
Accept header value of the Activity Streams media type
The vulnerability may also affect accounts on server implementations that don't normally serve arbitrary user-uploaded documents, in combination with a vulnerability of the other implementation like GHSA-9928-3cp5-93fm which can make the server serve arbitrary document.
Timeline
| Date and time |
Event |
| 2020-07-15T06:02:24Z |
A same kind of issue was reported to Pleroma: https://git.pleroma.social/pleroma/pleroma/-/issues/1948#note_67278 |
| 2023-09 |
Independently from Pleroma's issue, the reporter (@tesaguri) discovered the same kind of issue in Kitsune, an alpha-stage server implementation, and they reported it to the author of the implementation via GitHub's security advisory feature. At this time, the reporter was only regarding the issue as a phishing vector (creating fake actors on hosting services like GitHub, rather than on ActivityPub servers) and wasn't expecting that it can be exploited for impersonation and takeover of existing actors in practice. |
| 2023-10-28T15:59:49Z |
A security advisory on the vulnerability in Kitsune was published: GHSA-xmw2-875x-rq88. |
| 2024-02-07+0900 |
The reporter filed this report with Misskey Project. |
The important point is that same kind of issues have been publicly revealed at least twice, and that anyone familiar with implementations like Misskey may have conceived the exploit more easily. It's strongly advised to update existing deployments to the patched version as soon as possible.
tesaguri Reporter
Summary
When fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a
Content-Typeheader value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads.Details
ApResolverService.prototype.resolvedoesn't check that the response from the remote server has aContent-Typeheader value of the Activity Streams media type (i.e.application/ld+jsonwith aprofilevalue ofhttps://www.w3.org/ns/activitystreams, orapplication/activity+json). This implies that a Misskey instance can fetch a user-uploaded document on a remote server (including a document on Drive of another Misskey instance) and accept it as an Activity Streams object unless it's otherwise malformed.The
ap/showAPI endpoint refetches theidof the top-level node of the fetched JSON-LD document when it doesn't match the original request URL, which should have increased complexity of the exploit as the threat actor would need an ability to predict the URI of the uploaded documents before uploading them or to edit the uploaded documents without changing the URI. Misskey itself uses UUIDs in the URIs of uploaded documents, so it should have been hard to impersonate accounts on a Misskey instance viaap/show.However, that check is not performed by
ApNoteService.prototype.createNote, so it can be bypassed by creating an intermediaryNoteobject that references the URL of the uploaded document and make a Misskey instance fetch the intermediary object.The vulnerability can be exploited in the following ways:
Spoofing the
attributedToproperty for impersonationA threat actor can impersonate a remote account by uploading documents with a crafted
attributedToproperty which equals the Activity Streams actor URI of the victim account.Creating fake accounts and takeover of remote accounts
An threat actor can create fake (pseudo) accounts by uploading crafted actor objects to a remote server.
The
idof the fake actor can be the URI of another legitimate actor on the remote server, if the Misskey instance hasn't fetched that actor before. So the exploit enables a takeover of theinboxof an existing remote account and interception of activities (including private ones) local users send to the remote account.Impact
The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties:
Acceptheader value of the Activity Streams media typeThe vulnerability may also affect accounts on server implementations that don't normally serve arbitrary user-uploaded documents, in combination with a vulnerability of the other implementation like GHSA-9928-3cp5-93fm which can make the server serve arbitrary document.
Timeline
The important point is that same kind of issues have been publicly revealed at least twice, and that anyone familiar with implementations like Misskey may have conceived the exploit more easily. It's strongly advised to update existing deployments to the patched version as soon as possible.