FDEU-CVE-2020-03081
Summary
User enumeration, weak temporary password and broken brute force protection
allows to take over any customer account at mano.tele2.lt
.
Tech details
The mobile application “Mano Tele2” is using API server at api.tele2.lt
.
As an additional security layer another authorization server is involved:
appwscapi.tele2.lt
.
To register an account, users receive an SMS with 4-digit numeric code.
To reset a password, a user needs 4-digit numeric temporary code.
The temporary code expires in about 30 minutes.
Vulnerabilities
Weak temporary code
4-digit numeric-only temporary code has 10000 different combinations. As a mobile internet user being pretty close to the server, the code check rate has more than 20 codes per second speed. Which means that an attacker only needs 500 seconds to brute force the full key space. Which is less than the hardcoded temp code life time - 30 minutes.
HTTP/1.1 500 Internal Server Error
Content-Type: application/json; charset=utf-8
Content-Length: 94
{
"ErrorType": "WebApi.TempPassword",
"ErrorMessage": "Temp password resend cooldown not expired"
}
User enumeration
By enumerating MSISDN with password recovery endpoint it is possible to check if the user has an account or not:
HTTP/1.1 500 Internal Server Error
Content-Type: application/json; charset=utf-8
Content-Length: 152
{
"ErrorType": "WebApi.UserNotExists",
"ErrorMessage": "Provided MSISDN is not registered in selfcare. API client should direct user to registration flow."
}
In case of a valid user, the api gives this response:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Content-Length: 113
{
"error": "WebApi.ResourceOwnerCredentials.Error.InvalidPassword",
"error_description": "Neteisingas slaptažodis."
}
Broken brute force protection
The API has implemented brute force protection by limiting temp code check attempts:
HTTP/1.1 500 Internal Server Error
Content-Type: application/json; charset=utf-8
Content-Length: 195
{
"ErrorType": "WebApi.TooManyTempPasswordAttempts",
"ErrorMessage": "Neteisingai įvedÄte laikinÄ
slaptožodį per daug kartų. PradÄkite slaptažodžio priminimÄ
arba registracijÄ
iš naujo."
}
However, it turned out, that the temp password is still being checked, and if you supply a valid password after XXX tries - the system will accept it.
Account takeover
In order to successfully take over any account, an attacker needs:
- Enumerate all possible MSISDN registered at self-service
- For each found number issue a temporary password recovery code
- Brute force 4-digit temporary code and change the password
- Access the account with the new password
Timeline
- 2020-03-08 - initial discovery and proof of concept
- 2020-03-09 - contacted Tele2 and provided all the details
- 2020-03-10 - Tele2 confirmed everything was fixed in prod
- 2020-05-10 - full disclosure