Advisory ID: HTB23289
Product: DOKEOS
Vendor: DOKEOS
Vulnerable Version(s): ce30 and probably prior
Tested Version: ce30
Advisory Publication: January 7, 2016 [without technical details]
Vendor Notification: January 7, 2016
Public Disclosure: February 17, 2016
Vulnerability Type: Improper Authentication [CWE-287]
Risk Level: High
CVSSv3 Base Score: 7.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered a high-risk vulnerability in
a popular e-learning software DOKEOS. A remote unauthenticated attacker can
bypass authentication process and login to the vulnerable website with an
arbitrary account (including administrator's one). Successful exploitation
requires Single Sign-On (SSO) authentication to be enabled.
The vulnerability is caused by variable type confusion error when comparing
password hash to unserialized string during authentication process, when SSO
authentication is enabled (sso_authentication=true). In this case, the
application uses HTTP GET "sso_cookie" parameter to pass base64-encoded login
and password and then calls 'unserialize()' PHP function on received data.
Below is an example of vulnerable code, which erroneously uses the "=="
operator to compare two strings (instead of the "===" operator):
if ($sso['secret'] == sha1($uData['password']) && ($sso['username'] ==
$uData['username'])) {
In this case, SHA1 password hash is compared to $sso['secret'] string,
controlled by the attacker. If attacker passes Boolean true instead of the real
password, he can successfully bypass the authentication and login under
arbitrary web application account.
A simple exploit below can be used to authenticate under "admin" account:
http://[host]/index.php?loginFailed=1&sso_referer=&sso_cookie=YToyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30=
The "YToyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30="
string is translated from base64 into:
a:2:{s:8:"username";s:5:"admin";s:6:"secret";b:1;}
After the execution of 'unserialize()' function, we have the following array:
$sso['username'] = 'admin';
$sso['secret'] = true;
-----------------------------------------------------------------------------------------------
Solution:
Disclosure timeline:
2016-01-07 Vendor notified via contact form, no reply.
2016-01-13 Vendor notified via contact form, emails and twitter, no reply.
2016-01-20 Vendor notified via contact form and emails, no reply.
2016-01-27 Fix Requested via contact form and emails, no reply.
2016-02-03 Fix Requested via contact form and emails, no reply.
2016-02-17 Public disclosure.
Currently we are not aware of any official solution for this vulnerability.
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23289 -
https://www.htbridge.com/advisory/HTB23289 - SSO Auth Bypass and Website
Takeover in DOKEOS
[2] DOKEOS - http://www.dokeos.com/ - E-LEARNING suite and LMS for growing
companies
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by
High-Tech Bridge for on-demand and continuous web application security,
vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL
implementation for PCI DSS and NIST compliance. Supports all types of protocols.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.
