Authentication vulnerability – Authentication vulnerability (part 3)

Tram Ho

IV. Analyze and exploit vulnerabilities in multi-factor authentication

1. Overview

Through Section III, you have seen that using brute force alone, we also have many exploits for the method of authenticating user identities through passwords. Even if the system uses additional mechanisms and measures to prevent this attack technique, there are always many forms of bypass. Not all programmers dare to claim that they can create an “impregnable” product. It also proves that the simple use of password authentication method is not enough security, especially for systems containing a lot of important information and data. Therefore, providers need to use at least one more “wall” to protect users. And Two-factor authentication (2FA) is the solution chosen by many vendors.

2. What is two-factor authentication (2FA)? Which type of 2FA should I choose?

To quote a definition of Multi-factor authentication (MFA):

Multi-factor authentication (MFA; encompassing authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is).

Two-factor authentication (2FA) is a form of MFA, we can simply understand this as a two-factor authentication process, or two-step authentication. After the user completes the first authentication step (usually with an account), the system will continue to ask the user to authenticate one more step to increase security. The second step of authentication is based on the principle: the resources used for authentication must be things, events, factors directly related to the user (things only that user knows, things only the user knows). that owns).

So, from this operating principle, you can easily see or know (through movies, for example) some authentication systems by face, by fingerprint – the only thing that exists, very difficult to be substituted or counterfeited. Yes, this can be considered a very good security mechanism for users as well as businesses. However, in practice (at least currently) it is not possible to widely apply the use of facial or biometric security, partly due to the high technical requirements, partly due to the cost. operation cannot meet (Currently only large enterprises or banking applications, government organizations use).

The chosen second-step authentication solution is usually to ask the user to enter a code sent to the phone, or use a random code generator application associated with the website to be authenticated (Example: Google) Authenticator), …

3. Is it possible to bypass two-factor authentication (2FA) easily?

It can be clearly seen that the two-step authentication mechanism has greatly increased security compared to password-only authentication. I have not mentioned the cases of “physical” attacks such as taking over the phone to receive the 2FA code, or carelessly losing the phone, personal information, … then the 2FA authentication mechanism also contains a level of authentication. certain level of risk.

Before reaching the user, the 2FA code will also need to be sent from the system to the user’s phone, so it is completely possible to be attacked by the Man in the Middle attack technique (See more at Attacking Man in the Middle). -in-the-Middle ).

Or in terms of the system, no matter how secure the authentication mechanism is, it is also created by humans, by code programmers, so it is difficult to avoid shortcomings. For example, some websites enter 2FA codes just “disguised, meaningless”, in fact the system already allows you to use features after successful login (This happens due to a programming error).

2FA simple bypass lab analysis

In this situation we are provided with a valid account (used to analyze how the authentication system works) and get the username:password of the victim account, we need to pass the 2FA authentication mechanism to access the victim account. The email page supports getting 2FA codes for wiener users.

Try logging in with the wiener:peter account and observe the packets.

After logging in at /login , the system redirects us to a new /login2 page to perform 2FA code verification.

After successfully entering the verification code, we are taken to wiener ‘s personal page. Click again on the My account option, the URL identifies the link to the wiener ‘s profile:

From these signs, it can be speculated that when actually logging in with the correct account at the /login page, we have been successfully authenticated at the /login page, and the /login2 page is like a side operation to authenticate the code. code.

Indeed, before entering the 2FA code, change the URL to wiener ‘s personal page and success

Thus, we can directly edit the URL to /my-account?id=carlos after logging in carlos:montoya at /login page

4. Bypass two-factor authentication (2FA) with logic holes

Sometimes, after the user successfully authenticates the first step (login through the account), the system attaches a corresponding cookie (unique) to the user at that time, and uses that cookie itself. to identify users after they complete step two authentication.

Consider the following example, here is the request when the user submits the first step credentials to the system:

The above request sends username=carlos and password=qwerty information by POST method to the system. The system then issues a cookie to user carlos before sending them to a second authentication step:

The corresponding cookie value set for user carlos is account=carlos : this is an insecure cookie because it directly uses the login name as the cookie value without any encryption steps. Then, when the user completes the 2FA authentication step, the system uses this very cookie to identify the user:

Surely you have already realized what we can do with this cookie! Yes, the attacker can completely replace this cookie value with another user’s login name, maybe it will make the system mistakenly think that the bad user is asking for 2FA authentication! Of course, the attacker will want the victim to be inactive with their account (sleeping for example…).

2FA lab analysis broken logic

In this situation we are provided with a valid account (used to analyze how the authentication system works) and get the username:password of the victim account, we need to pass the 2FA authentication mechanism to access the victim account. The email page supports getting 2FA codes for wiener users.

First, log in with a valid account wiener:peter , make a request via Burp Suite to learn how the system’s authentication mechanism works.

After logging in at /login , the system redirects us to a new /login2 page to perform 2FA code verification. And the system authenticates the user identity with the verify=wiener cookie:

Resend the 2FA code verification request many times, the system does not prevent brute force attack. Furthermore, the mfa-code is formatted as a random 4-digit string, so we can perform a brute force attack after changing the cookie value to verify=carlos .

Select brute force mode, format 4 characters and limit the characters used to digits 0-9:

We get 1269 which is a valid 2FA code. Right-click and select Show response in browser , copy and paste the URL to access carlos ‘s account:

References

Share the news now

Source : Viblo