Look Dad, I bypassed 3factor authentication

The most important aspect of security is inspecting that everything works as it should. If people inside your organisation don’t have distinct duties, you are going to get screwed really quick.

There’s an organisation, let’s call it X, that offers classes and degrees. Rumour has it, the guys at X are serious about security. They don’t trade convenience with security. Everything looks fine. They have an online platform. based on a known CMS, that allows teachers to upload the grades of their classes and students to check. For the students part, you need valid credentials. For the teachers part you need three factors to upload the grades. Pause, authentication is the act of confirming that user A is user A and not someone else. There are 4 types of doing so:

  1. Something the user has (ie smartphone, credit card)
  2. Something the user knows (ie password, pin)
  3. Something the user is(ie biometrics)
  4. Somewhere the user is(ie the user is from inside the campus)

The guys at X were developers and they had no fucking idea of security whatsoever. So they thought of implementing the following authentication scheme for teachers to upload their grades: Teacher is inside campus (IP check), teacher has something (plugs in a USB stick with a PGP key to sign the grades), teacher knows something (types in his password). If any of these didn’t match the request was dropped. My initial thought was bypassing the authentication mechanism. After a little search, there was a possible way to bypass the authentication mechanism and directly upload to the server a file of your choice (in my case PHP shell). The main problem though was that I needed a valid account for that. In other words, if I authenticated as a valid student then I could upload anything I wanted. But how? I could find usernames through the mailing list but I couldn’t find passwords. Common sense started tingling. In such infrastructures there’s somewhere an LDAP server. If I could get authenticated by LDAP, I could access the grading site of X. Bypassing LDAP was easy. There was an app that gave you LDAP authentication if you entered a valid username and any password. I was in, with a shell, controlling the future of the developers.

X screwed up because it didn’t have security staff. ┬áDevelopers know to build stuff. They build stuff that it tends to break. They make the same mistake in more than one place. It will eventually break. It will break in more than one place. In other words, we spend time raising user awareness when the developers can’t implement correctly something or even worse implementing something with known vulnerabilities (ie MD5) in a shitty manner (ie without salt). Putting everything together, if developers don’t get trained/educated correctly there’s no point on chasing users down for using shitty passwords.

2 responses to “Look Dad, I bypassed 3factor authentication

  1. There are other times when developers have educated themselves and want to use a better algorithm but that will cause performance degradation with a proper fix pushed back to “when hell freezes over” due to “resource constraints”.

    Of course there are team leads who will tell you: you don’t need to salt our db is firewalled.

Leave a Reply

Your email address will not be published. Required fields are marked *