View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001339 | Main CAcert Website | my account | public | 2014-11-15 09:00 | 2015-06-23 20:09 |
| Reporter | BenBE | Assigned To | BenBE | ||
| Priority | immediate | Severity | block | Reproducibility | always |
| Status | solved? | Resolution | fixed | ||
| Product Version | 2012 Q1 | ||||
| Target Version | 2014 Q4 | ||||
| Summary | 0001339: Account Pwnage using OTP hash | ||||
| Description | While reviewing the OTP related code due to a support request on that topic a problem was found that could be used to take over someone else's account if that account has an OTP hash and/or an additional OTP pin set. In addition a bug in the OTP implementation was found related to the OTP PIN being ineffective. | ||||
| Steps To Reproduce | Brute force guess hard enough and long enough random 6 hex-digit passwords until you are in. Your last try is the account's new password. | ||||
| Additional Information | A PoC has been tested on the test system and succeeded in less then 6 hours (using about 250k guesses). While reviewing the code other problems related to OTP management have been found: - Missing rate limiting (simplifying the PoC) - Missing format checks (you could attack both 6 and 8 digit OTPs as both are accepted) - Missing visual feedback on the user interface if an OTP hash is present - Missing documentation - Several other issues related in the implementation | ||||
| Tags | No tags attached. | ||||
| Reviewed by | NEOatNHNG, BenBE | ||||
| Test Instructions | Try to set an OTP Hash/PIN (Lost Password Questions page), try to login using OTP, try OTP login when OTP hash set in DB; all should fail | ||||
|
|
Patch internally available for the Software Assessors to review. Will be applied to the test system on short notice when reviews are done. |
|
|
test before install the patch on test system Set an OTP Hash and OTP Pin works Login with email and passcode works Change Password works Login with new Password works |
|
|
Second review received by NEOatNHNG via private (signed) mail. The Critical Admin Team has been notified of the upcoming patch to prepare for quick action. |
|
|
Patch pushed in git and installed on testserver. |
|
|
Test after install patch on test system Login with username an password works -> OK no fields for OTP Hash and OTP Pin -> OK => OK |
|
|
Set OTP hash and OTP PIN first test before patch update: Login with OTP passphrase: Login successful, redirected to password change page account.php?id=14 with red bar. OLD passphrase is OTP passphrase. second test after update: Login with OTP passphrase: failed. => ok Login with normal passphrase: successful =>ok |
|
|
Patch sent to Critical Admin Team |
|
|
Update the bug entry on  https://bugs.cacert.org to "Solved?" with a message stating when the patch was installed on the production server, and including a reference to the e-mail sent out in step 10, which can be found in the cacert-systemlog archives at  https://lists.cacert.org/wws/arc/cacert-systemlog/ Just sent out the email https://lists.cacert.org/wws/arc/cacert-systemlog/2014-11/msg00012.html |
|
|
Why is this bug private and closed? Normaly bugs should not be required to be private at a stage where they can be closed. |
|
|
Reopened due to ongoing arbitration a20141118.1 related to this issue. As the related issue 0001341 has been resolved the information of this issue can also be publicly shown. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2014-11-15 09:00 | BenBE | New Issue | |
| 2014-11-15 09:00 | BenBE | Assigned To | => BenBE |
| 2014-11-15 09:00 | BenBE | Status | new => needs work |
| 2014-11-15 17:54 | felixd | Additional Information Updated | |
| 2014-11-16 00:29 | BenBE | Note Added: 0005106 | |
| 2014-11-16 00:29 | BenBE | Status | needs work => fix available |
| 2014-11-16 00:32 | BenBE | Reviewed by | => BenBE |
| 2014-11-16 00:32 | BenBE | Test Instructions | => Try to set an OTP Hash/PIN (Lost Password Questions page), try to login using OTP, try OTP login when OTP hash set in DB; all should fail |
| 2014-11-18 18:44 | MartinGummi | Note Added: 0005108 | |
| 2014-11-18 18:44 | MartinGummi | Note Edited: 0005108 | |
| 2014-11-18 18:50 | BenBE | Reviewed by | BenBE => NEOatNHNG, BenBE |
| 2014-11-18 18:50 | BenBE | Note Added: 0005109 | |
| 2014-11-18 19:45 | BenBE | Source_changeset_attached | => cacert-devel release ce9b70c7 |
| 2014-11-18 19:45 | felixd | Source_changeset_attached | => cacert-devel release 3e578bf6 |
| 2014-11-18 19:45 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable f535d495 |
| 2014-11-18 19:47 | BenBE | Status | fix available => needs review & testing |
| 2014-11-18 19:47 | BenBE | Note Added: 0005110 | |
| 2014-11-18 19:47 | BenBE | Status | needs review & testing => needs testing |
| 2014-11-18 19:47 | MartinGummi | Note Added: 0005111 | |
| 2014-11-18 19:50 | INOPIAE | Note Added: 0005112 | |
| 2014-11-18 19:51 | INOPIAE | Note Edited: 0005112 | |
| 2014-11-18 19:52 | BenBE | Note Added: 0005113 | |
| 2014-11-18 19:52 | BenBE | Status | needs testing => ready to deploy |
| 2014-11-18 22:12 | mendel | Note Added: 0005114 | |
| 2014-11-18 22:12 | mendel | Status | ready to deploy => solved? |
| 2014-11-18 22:12 | mendel | Resolution | open => fixed |
| 2015-05-12 20:32 | INOPIAE | Status | solved? => closed |
| 2015-06-22 18:30 | Eva | Note Added: 0005409 | |
| 2015-06-23 20:09 | BenBE | Note Added: 0005411 | |
| 2015-06-23 20:09 | BenBE | Status | closed => solved? |
| 2015-06-23 20:09 | BenBE | View Status | private => public |
| 2015-06-23 20:09 | BenBE | Relationship added | related to 0001341 |
