While researching and working on bug bounties in
late Jan 2013, I have found a way to Bypass Authentication using which
we can Takeover all the users account of the website and can also gain
Super Admin and Admin privileges if that site is vulnerable to this type
of attack.
Using this vulnerability the attacker can bypass the authentication bypass countermeasure
and can predict the login validation & access control processes for
any victims account by combinding a simple technique and in this way he
can also Bypass Authentication of all passwords of all the accounts and
can successfully compromise the victims account as the login validation
process is predictable by the attacker.
I tried various techniques to Bypass the Login like Arbitrary Methods Usages, Anonymous Methods Usages but all these techniques failed, also there was a countermeasures that if we to modify the response can then if we send that modified response code as a request to the server then the server is not responding to the modified request and instead of replying it is dropping the modified request, so now the challenge was to bypass this countermeasure and also to understand the Login Validation Process and to find a weakness in it. So now I am mentioning how I was able to Bypass this Countermeasure and the Authentication.
I tried various techniques to Bypass the Login like Arbitrary Methods Usages, Anonymous Methods Usages but all these techniques failed, also there was a countermeasures that if we to modify the response can then if we send that modified response code as a request to the server then the server is not responding to the modified request and instead of replying it is dropping the modified request, so now the challenge was to bypass this countermeasure and also to understand the Login Validation Process and to find a weakness in it. So now I am mentioning how I was able to Bypass this Countermeasure and the Authentication.
Please Note: There was a precondition that an attacker shall now the victims login id or user id and shall lock the victims account.
During
the testing we have found an attacker can bypass authentication of
Super Admin, Admin & Normal(Read Only privileged ) users by locking
the victims account and by modify the response json message.
Steps to Execute the Attack:
1. Go to the application login page and lock the victims account with 3 wrong password attempts.
2. Now Insert the normal(test) users username and with any random value as password.
3. Intercept the login request and forward it now the original response will be intercepted like mentioned below:
Original Response:
HTTP/1.1 200 OK
Server: Apache-Coyote
Content-disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 88
Date: Wed, 16 Jan 2013 10:05:20 GMT
OK[10,0,0,0,0,["site.com","You Account has been Locked, Please contact Administrator."]]
4. Now
modify the original response as mentioned below but don't modify the
status code 200 OK or any headers and forward the request, now the
attacker successfully logs into the Normal Users(victims) account.
Modified Response to Bypass Authentication of Normal User:
HTTP/1.1 200 OK
Server: Apache-Coyote
Content-disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 44
Date: Wed, 16 Jan 2013 10:09:10 GMT
OK[10,0,0,0,0,["site.com,"N","Normal User"]]
Note: "10" denotes normal user and "N" denotes read only privilege.
5. Now
to gain Admin user privileges while doing Authentication Bypass, repeat
the step 1,2,3 and then modify the original response as mentioned below
but don't modify the status code 200 OK or any headers and forward the
request, now the attacker successfully logs into the Admin
Users(victims) account.
HTTP/1.1 200 OK
Server: Apache-Coyote
Content-disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 43
Date: Wed, 16 Jan 2013 10:13:07 GMT
OK[20,0,0,0,0,["site.com,"Y","Admin User"]]
Note: "20" denotes admin user and "Y" denotes write privilege.
6. Now
to gain Super Admin user privileges while doing Authentication Bypass,
repeat the step 1,2,3 and then modify the original response as mentioned
below but don't modify the status code 200 OK or any headers and
forward the request, now the attacker successfully logs into the Super
Admin Users(victims) account.
Server: Apache-Coyote
Content-disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 49
Date: Wed, 16 Jan 2013 10:17:35 GMT
OK[30,0,0,0,0,["site.com,"Y","Super Admin User"]]
So in this way we can easily Bypass the Authentication an can gain Super Admin & Admin privileges :).
Impact:
The Login Validation & Access Control Processes are Predictable using which an attacker can easily compromise any users account of the Application and can gain the Super Admin and Admin privileges also the modified(i.e tempered) response dropping countermeasure was bypassable.
Recommendation:
The Login Validation shall not be dependent on Response Code Values, Cookies Values and Json Based Status Code values etc combination. Also the it shall not be dependent on the Client-Side Validation or on modified request dropping based countermeasures instead proper Server-Side Validation shall be done for the Correct Passwords and there shall be proper access control.
So in this way
one can do Privilege Escalation Using Authentication Bypass and can
Bypass the authentication of any victims accounts by bypassing the
modified request dropping countermeasure and by using the Login
Validation & Access Control Processes Prediction. Also this way can
be used to find same type of vulnerabilities on many different websites.
No comments:
Post a Comment