• Twitter
  • Facebook
  • Youtube

Wednesday, April 12, 2017

Pwnage of every user due to Weak Encryption


Greetings everyone, this is Shawar Khan and today i wanted to share one of my recent findings. Recently while pentesting a private project i faced a type of weakness in the web application that i am going to share today. The application that i was testing was fully accessed after the penetration test but in this write-up i am only disclosing an issue which i think is interesting and the developers and researchers can look into it while performing pentests against the web applications.

So, i started the pentest against the web application and checked ever area which was publicly available and found some flaws so after that's done the next steps comes in which we have to check the auth mechanism.
As we know the critical flaws are discovered when it comes to functionality that is responsible for changing user passwords and stuff so i moved towards the password reset functionality.

Simply registered an account, requested a password reset token which looks like:

Password Reset Link sent to User's Email via Web-App
Once the password reset link is requested, an email is sent to user's email which is associated with user's account. The email contains a link as shown above which contains "email" and "token" parameters. These parameters tells the web application that the specific user want to change his password. The "email" parameter's value will be the email of user which is requesting the password change and the value of "token" is a special md5 hash.

How the hash works in this mechanism? 

Each hash that is sent in password change request is associated with a user account so if the token or hash is having the same email which is associated with it then it will allow the password change. Otherwise, the password change request will be rejected as if the hash doesn't match with the email.

Exploiting the mechanism

Now as we understood how it works, its time to exploit it. I tried replacing the 'email' parameter's value to someone else's email address to check if its an IDOR vulnerability but that doesn't works. In these type of situation the only solution is to check how the hash was made.

The hash was identified as MD5 so i tried cracking the hash and i successfully got the plain text after the decryption of that hash which was sent in the reset link. In my case it was "d9d4f495e875a2e075a1a4a6e1b9770f":
Decryption of Password Reset Hash


So the decrypted value of the hash was "46". We now know that they are using numbers as tokens. Now its time to check if the same token or number was being used as token for every requested link. I requested some more links and decrypted them:
Decryption of 4 Password Reset Hashes
So after a little observation i found out that the numbers that were between 0 and 1000. The number was not crossing 1000 so maybe they are using some kind of random function to generate numbers between that specified range. Now we know how the hashes were generated now its time to fire up the weapons. We can bruteforce the password reset link hash but first we need to create the list of payloads.

I coded a little script that will generate hashes of numbers from 0 to 1000:
Generation of MD5s
Now we got a list of hashes from 0-1000 that we will be using to bruteforce the "token" parameter and one of them will be the correct value which will reset the user password. I coded a script that will use those hashes and will bruteforce the "token" parameter and the script prints the valid hash and URL for resetting password of the specified user.
So the final exploit looks like this:
Final Exploitation
 So, as we are now able to generate a valid password reset hash for any user of the site, we are able to compromise any user of the site by just entering his email. One of the request between 0-1000 will succeed which will allow us to compromise the user account. 

Thats it!
I hope you like this write-up, make sure to share so people can learn more from this.

Note: 

The following is the Github link to scripts that i coded for exploiting this weakness:
Github: Github Repo

Contact

Get in touch with me