CAcert Bug Tracker

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001339Main CAcert Websitemy accountpublic2014-11-15 09:002015-06-23 20:09
Assigned ToBenBE 
PlatformOSOS Version
Product Version2012 Q1 
Target Version2014 Q4Fixed in Version 
Summary0001339: Account Pwnage using OTP hash
DescriptionWhile reviewing the OTP related code due to a support request on that topic a problem was found that could be used to take over someone else's account if that account has an OTP hash and/or an additional OTP pin set. In addition a bug in the OTP implementation was found related to the OTP PIN being ineffective.
Steps To ReproduceBrute force guess hard enough and long enough random 6 hex-digit passwords until you are in. Your last try is the account's new password.
Additional InformationA PoC has been tested on the test system and succeeded in less then 6 hours (using about 250k guesses).

While reviewing the code other problems related to OTP management have been found:
- Missing rate limiting (simplifying the PoC)
- Missing format checks (you could attack both 6 and 8 digit OTPs as both are accepted)
- Missing visual feedback on the user interface if an OTP hash is present
- Missing documentation
- Several other issues related in the implementation
TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test InstructionsTry to set an OTP Hash/PIN (Lost Password Questions page), try to login using OTP, try OTP login when OTP hash set in DB; all should fail
Attached Files

- Relationships
related to 0001341solved?BenBE Rate limit for login attempts 

-  Notes
BenBE (updater)
2014-11-16 00:29

Patch internally available for the Software Assessors to review. Will be applied to the test system on short notice when reviews are done.
MartinGummi (updater)
2014-11-18 18:44
edited on: 2014-11-18 18:44

test before install the patch on test system

Set an OTP Hash and OTP Pin

Login with email and passcode

Change Password

Login with new Password

BenBE (updater)
2014-11-18 18:50

Second review received by NEOatNHNG via private (signed) mail.

The Critical Admin Team has been notified of the upcoming patch to prepare for quick action.
BenBE (updater)
2014-11-18 19:47

Patch pushed in git and installed on testserver.
MartinGummi (updater)
2014-11-18 19:47

Test after install patch on test system

Login with username an password works
-> OK

no fields for OTP Hash and OTP Pin
-> OK

=> OK
INOPIAE (updater)
2014-11-18 19:50
edited on: 2014-11-18 19:51

Set OTP hash and OTP PIN
first test before patch update:
Login with OTP passphrase: Login successful, redirected to password change page account.php?id=14 with red bar. OLD passphrase is OTP passphrase.

second test after update:
Login with OTP passphrase: failed. => ok
Login with normal passphrase: successful =>ok

BenBE (updater)
2014-11-18 19:52

Patch sent to Critical Admin Team
mendel (updater)
2014-11-18 22:12

Update the bug entry on [^] to "Solved?" with a message stating when the patch was installed on the production server, and including a reference to the e-mail sent out in step 10, which can be found in the cacert-systemlog archives at [^]

Just sent out the email [^]
Eva (updater)
2015-06-22 18:30

Why is this bug private and closed?

Normaly bugs should not be required to be private at a stage where they can be closed.
BenBE (updater)
2015-06-23 20:09

Reopened due to ongoing arbitration a20141118.1 related to this issue.

As the related issue 0001341 has been resolved the information of this issue can also be publicly shown.

- Related Changesets
cacert-devel: release 3e578bf6
Timestamp: 2014-11-15 11:12:12
Author: felixd
Details ] Diff ]
bug-1339: remove all traces of OTP
mod - www/index.php Diff ] File ]
mod - includes/account.php Diff ] File ]
mod - pages/account/13.php Diff ] File ]
cacert-devel: release ce9b70c7
Timestamp: 2014-11-18 18:36:13
Author: BenBE
Details ] Diff ]
Merge branch 'bug-1339' into release
cacert-devel: testserver-stable f535d495
Timestamp: 2014-11-18 18:37:24
Author: BenBE
Details ] Diff ]
Merge branch 'bug-1339' into testserver-stable
mod - includes/account.php Diff ] File ]
mod - pages/account/13.php Diff ] File ]
mod - www/index.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2014-11-15 09:00 BenBE New Issue
2014-11-15 09:00 BenBE Assigned To => BenBE
2014-11-15 09:00 BenBE Status new => needs work
2014-11-15 17:54 felixd Additional Information Updated View Revisions
2014-11-16 00:29 BenBE Note Added: 0005106
2014-11-16 00:29 BenBE Status needs work => fix available
2014-11-16 00:32 BenBE Reviewed by => BenBE
2014-11-16 00:32 BenBE Test Instructions => Try to set an OTP Hash/PIN (Lost Password Questions page), try to login using OTP, try OTP login when OTP hash set in DB; all should fail
2014-11-18 18:44 MartinGummi Note Added: 0005108
2014-11-18 18:44 MartinGummi Note Edited: 0005108 View Revisions
2014-11-18 18:50 BenBE Reviewed by BenBE => NEOatNHNG, BenBE
2014-11-18 18:50 BenBE Note Added: 0005109
2014-11-18 19:45 BenBE Changeset attached => cacert-devel release ce9b70c7
2014-11-18 19:45 felixd Changeset attached => cacert-devel release 3e578bf6
2014-11-18 19:45 BenBE Changeset attached => cacert-devel testserver-stable f535d495
2014-11-18 19:47 BenBE Status fix available => needs review & testing
2014-11-18 19:47 BenBE Note Added: 0005110
2014-11-18 19:47 BenBE Status needs review & testing => needs testing
2014-11-18 19:47 MartinGummi Note Added: 0005111
2014-11-18 19:50 INOPIAE Note Added: 0005112
2014-11-18 19:51 INOPIAE Note Edited: 0005112 View Revisions
2014-11-18 19:52 BenBE Note Added: 0005113
2014-11-18 19:52 BenBE Status needs testing => ready to deploy
2014-11-18 22:12 mendel Note Added: 0005114
2014-11-18 22:12 mendel Status ready to deploy => solved?
2014-11-18 22:12 mendel Resolution open => fixed
2015-05-12 20:32 INOPIAE Status solved? => closed
2015-06-22 18:30 Eva Note Added: 0005409
2015-06-23 20:09 BenBE Note Added: 0005411
2015-06-23 20:09 BenBE Status closed => solved?
2015-06-23 20:09 BenBE View Status private => public
2015-06-23 20:09 BenBE Relationship added related to 0001341

Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker