View Issue Details

IDProjectCategoryView StatusLast Update
0001339Main CAcert Websitemy accountpublic2015-06-23 20:09
ReporterBenBEAssigned ToBenBE 
PriorityimmediateSeverityblockReproducibilityalways
Status solved?Resolutionfixed 
Product Version2012 Q1 
Target Version2014 Q4Fixed in Version 
Summary0001339: Account Pwnage using OTP hash
DescriptionWhile reviewing the OTP related code due to a support request on that topic a problem was found that could be used to take over someone else's account if that account has an OTP hash and/or an additional OTP pin set. In addition a bug in the OTP implementation was found related to the OTP PIN being ineffective.
Steps To ReproduceBrute force guess hard enough and long enough random 6 hex-digit passwords until you are in. Your last try is the account's new password.
Additional InformationA PoC has been tested on the test system and succeeded in less then 6 hours (using about 250k guesses).

While reviewing the code other problems related to OTP management have been found:
- Missing rate limiting (simplifying the PoC)
- Missing format checks (you could attack both 6 and 8 digit OTPs as both are accepted)
- Missing visual feedback on the user interface if an OTP hash is present
- Missing documentation
- Several other issues related in the implementation
TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test InstructionsTry to set an OTP Hash/PIN (Lost Password Questions page), try to login using OTP, try OTP login when OTP hash set in DB; all should fail

Relationships

related to 0001341 solved?BenBE Rate limit for login attempts 

Activities

BenBE

2014-11-16 00:29

updater   ~0005106

Patch internally available for the Software Assessors to review. Will be applied to the test system on short notice when reviews are done.

MartinGummi

2014-11-18 18:44

updater   ~0005108

Last edited: 2014-11-18 18:44

View 2 revisions

test before install the patch on test system

Set an OTP Hash and OTP Pin
works

Login with email and passcode
works

Change Password
works

Login with new Password
works

BenBE

2014-11-18 18:50

updater   ~0005109

Second review received by NEOatNHNG via private (signed) mail.

The Critical Admin Team has been notified of the upcoming patch to prepare for quick action.

BenBE

2014-11-18 19:47

updater   ~0005110

Patch pushed in git and installed on testserver.

MartinGummi

2014-11-18 19:47

updater   ~0005111

Test after install patch on test system

Login with username an password works
-> OK

no fields for OTP Hash and OTP Pin
-> OK


=> OK

INOPIAE

2014-11-18 19:50

updater   ~0005112

Last edited: 2014-11-18 19:51

View 2 revisions

Set OTP hash and OTP PIN
first test before patch update:
Login with OTP passphrase: Login successful, redirected to password change page account.php?id=14 with red bar. OLD passphrase is OTP passphrase.

second test after update:
Login with OTP passphrase: failed. => ok
Login with normal passphrase: successful =>ok

BenBE

2014-11-18 19:52

updater   ~0005113

Patch sent to Critical Admin Team

mendel

2014-11-18 22:12

updater   ~0005114

Update the bug entry on  https://bugs.cacert.org to "Solved?" with a message stating when the patch was installed on the production server, and including a reference to the e-mail sent out in step 10, which can be found in the cacert-systemlog archives at  https://lists.cacert.org/wws/arc/cacert-systemlog/

Just sent out the email https://lists.cacert.org/wws/arc/cacert-systemlog/2014-11/msg00012.html

Eva

2015-06-22 18:30

updater   ~0005409

Why is this bug private and closed?

Normaly bugs should not be required to be private at a stage where they can be closed.

BenBE

2015-06-23 20:09

updater   ~0005411

Reopened due to ongoing arbitration a20141118.1 related to this issue.

As the related issue 0001341 has been resolved the information of this issue can also be publicly shown.

Issue History

Date Modified Username Field Change
2014-11-15 09:00 BenBE New Issue
2014-11-15 09:00 BenBE Assigned To => BenBE
2014-11-15 09:00 BenBE Status new => needs work
2014-11-15 17:54 felixd Additional Information Updated View Revisions
2014-11-16 00:29 BenBE Note Added: 0005106
2014-11-16 00:29 BenBE Status needs work => fix available
2014-11-16 00:32 BenBE Reviewed by => BenBE
2014-11-16 00:32 BenBE Test Instructions => Try to set an OTP Hash/PIN (Lost Password Questions page), try to login using OTP, try OTP login when OTP hash set in DB; all should fail
2014-11-18 18:44 MartinGummi Note Added: 0005108
2014-11-18 18:44 MartinGummi Note Edited: 0005108 View Revisions
2014-11-18 18:50 BenBE Reviewed by BenBE => NEOatNHNG, BenBE
2014-11-18 18:50 BenBE Note Added: 0005109
2014-11-18 19:45 BenBE Source_changeset_attached => cacert-devel release ce9b70c7
2014-11-18 19:45 felixd Source_changeset_attached => cacert-devel release 3e578bf6
2014-11-18 19:45 BenBE Source_changeset_attached => cacert-devel testserver-stable f535d495
2014-11-18 19:47 BenBE Status fix available => needs review & testing
2014-11-18 19:47 BenBE Note Added: 0005110
2014-11-18 19:47 BenBE Status needs review & testing => needs testing
2014-11-18 19:47 MartinGummi Note Added: 0005111
2014-11-18 19:50 INOPIAE Note Added: 0005112
2014-11-18 19:51 INOPIAE Note Edited: 0005112 View Revisions
2014-11-18 19:52 BenBE Note Added: 0005113
2014-11-18 19:52 BenBE Status needs testing => ready to deploy
2014-11-18 22:12 mendel Note Added: 0005114
2014-11-18 22:12 mendel Status ready to deploy => solved?
2014-11-18 22:12 mendel Resolution open => fixed
2015-05-12 20:32 INOPIAE Status solved? => closed
2015-06-22 18:30 Eva Note Added: 0005409
2015-06-23 20:09 BenBE Note Added: 0005411
2015-06-23 20:09 BenBE Status closed => solved?
2015-06-23 20:09 BenBE View Status private => public
2015-06-23 20:09 BenBE Relationship added related to 0001341