CAcert Bug Tracker

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001339Main CAcert Websitemy accountpublic2014-11-15 09:002015-06-23 20:09
ReporterBenBE 
Assigned ToBenBE 
PriorityimmediateSeverityblockReproducibilityalways
Statussolved?Resolutionfixed 
PlatformOSOS Version
Product Version2012 Q1 
Target Version2014 Q4Fixed in Version 
Summary0001339: Account Pwnage using OTP hash
DescriptionWhile reviewing the OTP related code due to a support request on that topic a problem was found that could be used to take over someone else's account if that account has an OTP hash and/or an additional OTP pin set. In addition a bug in the OTP implementation was found related to the OTP PIN being ineffective.
Steps To ReproduceBrute force guess hard enough and long enough random 6 hex-digit passwords until you are in. Your last try is the account's new password.
Additional InformationA PoC has been tested on the test system and succeeded in less then 6 hours (using about 250k guesses).

While reviewing the code other problems related to OTP management have been found:
- Missing rate limiting (simplifying the PoC)
- Missing format checks (you could attack both 6 and 8 digit OTPs as both are accepted)
- Missing visual feedback on the user interface if an OTP hash is present
- Missing documentation
- Several other issues related in the implementation
TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test InstructionsTry to set an OTP Hash/PIN (Lost Password Questions page), try to login using OTP, try OTP login when OTP hash set in DB; all should fail
Attached Files

- Relationships
related to 0001341solved?BenBE Rate limit for login attempts 

-  Notes
(0005106)
BenBE (updater)
2014-11-16 00:29

Patch internally available for the Software Assessors to review. Will be applied to the test system on short notice when reviews are done.
(0005108)
MartinGummi (updater)
2014-11-18 18:44
edited on: 2014-11-18 18:44

test before install the patch on test system

Set an OTP Hash and OTP Pin
works

Login with email and passcode
works

Change Password
works

Login with new Password
works

(0005109)
BenBE (updater)
2014-11-18 18:50

Second review received by NEOatNHNG via private (signed) mail.

The Critical Admin Team has been notified of the upcoming patch to prepare for quick action.
(0005110)
BenBE (updater)
2014-11-18 19:47

Patch pushed in git and installed on testserver.
(0005111)
MartinGummi (updater)
2014-11-18 19:47

Test after install patch on test system

Login with username an password works
-> OK

no fields for OTP Hash and OTP Pin
-> OK


=> OK
(0005112)
INOPIAE (updater)
2014-11-18 19:50
edited on: 2014-11-18 19:51

Set OTP hash and OTP PIN
first test before patch update:
Login with OTP passphrase: Login successful, redirected to password change page account.php?id=14 with red bar. OLD passphrase is OTP passphrase.

second test after update:
Login with OTP passphrase: failed. => ok
Login with normal passphrase: successful =>ok

(0005113)
BenBE (updater)
2014-11-18 19:52

Patch sent to Critical Admin Team
(0005114)
mendel (updater)
2014-11-18 22:12

Update the bug entry on  https://bugs.cacert.org [^] to "Solved?" with a message stating when the patch was installed on the production server, and including a reference to the e-mail sent out in step 10, which can be found in the cacert-systemlog archives at  https://lists.cacert.org/wws/arc/cacert-systemlog/ [^]

Just sent out the email https://lists.cacert.org/wws/arc/cacert-systemlog/2014-11/msg00012.html [^]
(0005409)
Eva (updater)
2015-06-22 18:30

Why is this bug private and closed?

Normaly bugs should not be required to be private at a stage where they can be closed.
(0005411)
BenBE (updater)
2015-06-23 20:09

Reopened due to ongoing arbitration a20141118.1 related to this issue.

As the related issue 0001341 has been resolved the information of this issue can also be publicly shown.

- Related Changesets
cacert-devel: release 3e578bf6
Timestamp: 2014-11-15 11:12:12
Author: felixd
Details ] Diff ]
bug-1339: remove all traces of OTP
mod - www/index.php Diff ] File ]
mod - includes/account.php Diff ] File ]
mod - pages/account/13.php Diff ] File ]
cacert-devel: release ce9b70c7
Timestamp: 2014-11-18 18:36:13
Author: BenBE
Details ] Diff ]
Merge branch 'bug-1339' into release
cacert-devel: testserver-stable f535d495
Timestamp: 2014-11-18 18:37:24
Author: BenBE
Details ] Diff ]
Merge branch 'bug-1339' into testserver-stable
mod - includes/account.php Diff ] File ]
mod - pages/account/13.php Diff ] File ]
mod - www/index.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2014-11-15 09:00 BenBE New Issue
2014-11-15 09:00 BenBE Assigned To => BenBE
2014-11-15 09:00 BenBE Status new => needs work
2014-11-15 17:54 felixd Additional Information Updated View Revisions
2014-11-16 00:29 BenBE Note Added: 0005106
2014-11-16 00:29 BenBE Status needs work => fix available
2014-11-16 00:32 BenBE Reviewed by => BenBE
2014-11-16 00:32 BenBE Test Instructions => Try to set an OTP Hash/PIN (Lost Password Questions page), try to login using OTP, try OTP login when OTP hash set in DB; all should fail
2014-11-18 18:44 MartinGummi Note Added: 0005108
2014-11-18 18:44 MartinGummi Note Edited: 0005108 View Revisions
2014-11-18 18:50 BenBE Reviewed by BenBE => NEOatNHNG, BenBE
2014-11-18 18:50 BenBE Note Added: 0005109
2014-11-18 19:45 BenBE Changeset attached => cacert-devel release ce9b70c7
2014-11-18 19:45 felixd Changeset attached => cacert-devel release 3e578bf6
2014-11-18 19:45 BenBE Changeset attached => cacert-devel testserver-stable f535d495
2014-11-18 19:47 BenBE Status fix available => needs review & testing
2014-11-18 19:47 BenBE Note Added: 0005110
2014-11-18 19:47 BenBE Status needs review & testing => needs testing
2014-11-18 19:47 MartinGummi Note Added: 0005111
2014-11-18 19:50 INOPIAE Note Added: 0005112
2014-11-18 19:51 INOPIAE Note Edited: 0005112 View Revisions
2014-11-18 19:52 BenBE Note Added: 0005113
2014-11-18 19:52 BenBE Status needs testing => ready to deploy
2014-11-18 22:12 mendel Note Added: 0005114
2014-11-18 22:12 mendel Status ready to deploy => solved?
2014-11-18 22:12 mendel Resolution open => fixed
2015-05-12 20:32 INOPIAE Status solved? => closed
2015-06-22 18:30 Eva Note Added: 0005409
2015-06-23 20:09 BenBE Note Added: 0005411
2015-06-23 20:09 BenBE Status closed => solved?
2015-06-23 20:09 BenBE View Status private => public
2015-06-23 20:09 BenBE Relationship added related to 0001341


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker