Version 3.0.0 contains a vulnerability that allows bypassing permission verification

[zzdzz7]

Vulnerability Introduction

Xiaozhi ESP32 Server Java V3.0.0 (the latest version) contains an authentication bypass vulnerability. Attackers can exploit the access whitelist set by the developer to obtain sensitive user information and forge cookies to impersonate any user login.

Vulnerability Analysis

Find the whitelisted routes in com/xiaozhi/common/config/WebMvcConfig.java

Following up on authenticationInterceptor

As can be seen from the comments, this is the actual interceptor code.

At the same time, a whitelist is also set up here.

            "/api/user/",
            "/api/device/ota",
            "/audio/",
            "/uploads/",
            "/ws/"

In the preHandle function, there are five release points.

Analyze how the username retrieved from the cookie is validated.

    private boolean tryAuthenticateWithCookies(HttpServletRequest request, HttpServletResponse response) {
        // 检查是否有username cookie
        Cookie[] cookies = request.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if ("username".equals(cookie.getName())) {
                    String username = cookie.getValue();
                    if (StringUtils.isNotBlank(username)) {
                        SysUser user = userService.selectUserByUsername(username);
                        if (user != null) {
                            // 将用户存储在会话和请求属性中
                            HttpSession session = request.getSession(true);
                            session.setAttribute(SysUserService.USER_SESSIONKEY, user);
                            request.setAttribute(CmsUtils.USER_ATTRIBUTE_KEY, user);
                            CmsUtils.setUser(request, user);
                            return true;
                        }
                    }
                    break;
                }
            }
        }
        return false;
    }

The general process is to check if the username exists in the cookie, then query the database using that username. If it exists, the session information is added directly.

Therefore, we can add the following cookie field.

username=admin

Vulnerability Reproduction

When attempting to access a route that requires authentication, a message will be displayed indicating that the user is not logged in.

Adding cookie information successfully bypassed identity forgery.

Here, I forged the default admin user. In reality, the /api/user/queryUsers interface doesn't perform authentication checks, allowing it to obtain the usernames of all users. This allows me to forge all users.

[joey-zhou]

4.0 has been fully upgraded to the sa-token authentication method