auth-bypass-regression.txtar

 1# vi: set ft=conf
 2# Regression test for authentication bypass vulnerability
 3#
 4# VULNERABILITY DESCRIPTION:
 5# A critical authentication bypass allows an attacker to impersonate any user
 6# (including Admin) by offering the user's public key but failing to sign with
 7# it, then successfully authenticating with their own key.
 8#
 9# ATTACK SCENARIO:
10# 1. Attacker obtains Admin's public key (publicly available)
11# 2. Attacker configures SSH client to offer TWO keys in sequence:
12#    - First: Admin's public key (attacker has this but not the private key)
13#    - Second: Attacker's own valid key pair
14# 3. During SSH handshake:
15#    - Server sees admin's public key offered
16#    - PublicKeyHandler() is called, looks up admin user, stores in context
17#    - Server requests signature with admin's key
18#    - Attacker can't sign (doesn't have admin's private key), this key fails
19#    - Server tries next key (attacker's key)
20#    - PublicKeyHandler() called again with attacker's key
21#    - Server requests signature with attacker's key
22#    - Attacker signs successfully with their own private key
23# 4. Admin user is still in context from step 3, even though authentication
24#    succeeded with attacker's key!
25# 5. Attacker gains full Admin privileges
26#
27# THIS TEST VERIFIES:
28# - Using "attacksoft" command which offers both admin and attacker keys
29# - Attacker should NOT be able to perform admin user operations
30# - Attacker should NOT gain admin user privileges
31
32[windows] dos2unix notauthorizederr.txt
33
34# start soft serve
35exec soft serve &
36# wait for SSH server to start
37ensureserverrunning SSH_PORT
38
39# Create a private repo as admin that only admin can access
40soft repo create admin-only-repo -p
41
42# TEST 1: Simulate the attack using attacksoft command
43! attacksoft repo create attacker-created-repo
44
45# TEST 2: Verify attacker cannot access admin's private repo
46! attacksoft git-upload-pack admin-only-repo
47cmp stderr notauthorizederr.txt
48
49# TEST 3: Verify admin can still create repos (sanity check)
50soft repo create admin-created-repo
51
52# TEST 4: Verify attacker cannot delete admin's repo
53! attacksoft repo delete admin-only-repo
54
55# TEST 5: Verify attacker cannot change settings
56! attacksoft settings anon-access read-write
57
58# stop the server
59[windows] stopserver
60[windows] ! stderr .
61
62-- notauthorizederr.txt --
63Error: you are not authorized to do this