Try to exploit Two Factor Authentication module (and maybe earn $) before we deploy TFA to drupal.org

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
greggles's picture
Posted by greggles on August 27, 2014 at 1:36pm

Drupal.org hopes to deploy two-factor-authentication to enhance the security of the site. This tool will help to ensure that accounts with advanced permissions are only used by the intended individual. The Two Factor Authentication module for Drupal tfa was originally built by Growing Venture Solutions, has been dramatically enhanced to work for Acquia, and is being made “drupal.org-ready” with support from CARD.com.

To help test the security of the module, CARD.com is sponsoring a security bounty of up to $500 with organizing help from Drupal Security Team members Michael Hess, Ben Jeavons and Greg Knaddison.

Target Site Setup

  • There is a Drupal 7 site http://live-tfatest.gotpantheon.com/ which has the latest code for TFA and TFA Basic.
  • The site has the Security Review and follows all its advice. The site is also running the paranoia module to limit what can be done after logging in.
  • There is an administrator account with the username admin and password admin. This account has two-factor-authentication setup using a TOTP. The account has several trusted browsers and has a set of recovery codes.
  • The homepage is “node/1” and lists out anyone who has successfully exploited the site (the list is empty at the time this was posted)

Suggestions and scope for exploiting the issue

  • We are specifically looking for testing of the Two-factor authentication system including its use of time-based one time passwords, trusted browsers, or one-time-use recovery codes
  • Social engineering attacks are out of scope
  • There is flood-control in place per IP address that will lock out an IP after a few attempts.
  • Man-in-the-middle or other theoretical vulnerabilities that require sniffing a session or gaining access to a previously logged in computer are out of scope.
  • You can download the code used on the site at TFA 7.x-2.x-dev and TFA Basic 7.x-1.x-dev. We encourage you to set up your own site and review the code itself to help identify vulnerabilities.
  • Brute force attacks will be considered, but are considered lower priority. See note below.
  • Vulnerabilities in Drupal core that allow a researcher to achieve the proof of exploit (below) are in scope.

Proof of exploit

  1. Have bypassed TFA or otherwise gained an authenticated session on the site
  2. Edit the front page to add some information to indicate you have compromised the account (your name, a link, etc.).
  3. Submit the details of the exploit via the (https://bugcrowd.com/card) issue tracker. Any vulnerabilities will be released in coordination with the Drupal Security Team policies. Submitting the issue to Bugcrowd lets us easily give bounties to researchers worldwide.
  4. Send a copy of the report sent to bugcrowd to security@drupal.org

Note on brute-force attacks

  • Given that the module allows 6 attempts per hour per IP address, it is likely that you can brute force a TOTP code (1,000,000 combinations) for some amount of money that is likely above the bounty for this exercise, but low enough to make it generally feasible in a targeted attack on a high value target. Discussion of this issue is happening at drupal.org issue queue for tfa. For the purposes of this bounty, a brute-force attack is in scope if it leverages a weakness in this specific TFA implementation to use significantly fewer resources than is generally required for TOTP or 7 digit recovery codes.

We would like to thank Pantheon for hosting the site for purposes of security research.

Deploying TFA to drupal.org

It is very likely that TFA will get deployed to drupal.org. The issue to track that is Deploy TFA on drupal.org which has had a lot of positive feedback. Having more confidence in the security of the module will help move that issue to resolution.

Comments

Quick update:So far, no one

Posted by greggles on August 29, 2014 at 3:57pm
greggles's picture

Quick update:

  • So far, no one has been able to bypass the Two-Factor-Aauthentication and gain access to the site!
  • Since the launch, 24 people have attempted to break into the site over 300 times.
  • We've had 7 issue submissions, several of which are generally valid, but not for this bounty (e.g. clickjacking)

Some big news:

  • We rewarded a bounty for 1 issue submission regarding replay of the totp code. That issue resulted in two issues in the TFA module's queue, one about encouraging the use of hsts/ssl and one about preventing the replay of totp codes. As the reporter noted, this does require obtaining the TOTP value in some way (e.g. sniffing the network or malware on the victim's computer).

Even though the issue is technically outside of the scope for this bug bounty, we decided to give a reward for it because we feel that it is an important improvement. It also took a bit of effort on the researchers part to download and analyze the code and we want to reward that effort. We also hope that validating and rewarding an issue will encourage other researchers to find and report bugs.

knaddison blog | Morris Animal Foundation

This is "trivially" broken

Posted by Sc00bz on August 30, 2014 at 8:49am
Sc00bz's picture

Ignoring my title, can you post a link to the TFA module code. So I can see how much of a time drain this will be. Also I recently gave a talk giving your exact set up as "how not to do 2FA."

P.S. Account creation is messed up. I can't set/change my password because I currently don't have one. Note this is a known issue for at least two years now (https://www.drupal.org/node/1772880)... Maybe you should fix it.

Code (web

Posted by klausi on August 30, 2014 at 4:28pm
klausi's picture

Code (web viewer):
http://cgit.drupalcode.org/tfa/tree/
http://cgit.drupalcode.org/tfa_basic/tree/

Code (Git):
git clone --branch 7.x-2.x http://git.drupal.org/project/tfa.git
git clone --branch 7.x-1.x http://git.drupal.org/project/tfa_basic.git

Where is the account creation messed up? On drupal.org? Or on your local Drupal core development site? Or on groups.drupal.org? Or on the TFA test site? The link your provided is a support request in the general forums, so this is not filed as issue against a particular project.

:)

Posted by Sc00bz on September 3, 2014 at 12:13pm
Sc00bz's picture

groups.drupal.org, oops I read the email and when it didn't redirect I just went to the edit page instead of clicking the login button.

"how not"?

Posted by coltrane on September 2, 2014 at 1:20pm
coltrane's picture

Care to elaborate on these claims please?

When we started this bounty

Posted by greggles on September 2, 2014 at 2:29pm
greggles's picture

When we started this bounty we were hoping to get experts such as yourself to provide feedback. It's obviously an important and yet tricky thing to get right. These modules were built after analyzing the flow of google, dropbox, github and other companies who provide tfa, though obviously they use different code.

Are there any slides or recordings of your presentations on this topic? I saw from your tweet stream that you presented at blackhat, but it looks like they don't post videos for 6+ months.

There shouldn't be a need to create an account - there is one already created with credentials available in the post above. If creating an account is critical to identifying a vulnerability we can try to find a solution.

It's now been a few days since your initial post and I haven't seen an issue you submitted. Are you still working on it? We plan to close this test-site on September 15th, after which point we'll still give a bounty for weaknesses in these modules, but any researcher will have to build their own site similar to the above if they want to test it in the same way (we'll probably provide some instructions on setup to make that easier).

Thanks again for helping test out these modules!

knaddison blog | Morris Animal Foundation

I just submitted

Posted by Sc00bz on September 3, 2014 at 12:16pm
Sc00bz's picture

I meant to do this sooner. The only important things about my talk are:
Hardness: password*2FA (1,000*1,000,000 = 1,000,000,000) vs password+2FA (1,000+1,000,000 = 1,001,000)
Don't leak timing and check both regardless if one failed. Make sure to check all time skews even if one succeeds.

Login process:

  • Get username, password, and optional 2nd factor
  • If 2FA enabled
    • If 2nd factor is blank ask for 2nd factor
    • Check username, password, and 2FA
  • Else check username and password

Note you can check the second factor first then ask for the password and achieve password*2FA. Unless you have bad random which you do. An attacker would just guess the second factor until it is correct then do offline brute force to then get it down to like one in a few thousand. Once the second pin is guessed correctly you'll have the secret key.

Out of the three four bugs I submitted my guess is none will net me a bounty but you should fix them: ECB, the bug in Drupal to bypass rate limit (and use 8 digit codes), and the unlikely to be pulled off in the real world attack against bad random.

Right just remembered there was another bug. It's minor, sometimes the secret key and email are sent to Google over https.

Edit: Formatting issue with asdf vs *asdf*

See the issue related to password reset

Posted by lizzjoy on September 16, 2014 at 4:10pm
lizzjoy's picture

Here is the issue about password reset that is active now: #889772: following a password reset link while logged in leaves users unable to change their password.

Quick update on TFA security testing

Posted by greggles on September 2, 2014 at 2:31pm
greggles's picture
  • Still the case: /So far, no one has been able to bypass the Two-Factor-Aauthentication and gain access to the site!/
  • We no longer have exact counts of the number of people who attempted to break in because someone attempted a brute force attack which overflowed watchdog ;) We currently can only say that in the last 11 hours there were 6 different IPs that attempted over 200,000 times. Combined with the values from last week that means 30 different IPs have attempted over 200,300 times.
  • Several more issues were submitted but none are relevant to the module (e.g. one points out that an old SSL cipher is used, another points out that autocomplete is allowed on the password field which allows some browsers to store the password unencrypted locally - these are standard, very low priority issues unrelated to the TFA modules).

One note that I forgot to put in the initial post: This site will come offline on September 15th, however the bounty for it will remain open.

knaddison blog | Morris Animal Foundation

Final update: no one broke in!

Posted by coltrane on September 17, 2014 at 8:35pm
coltrane's picture

We've put the TFA test site into maintenance mode to mark our testing period complete. No one bypassed the TFA access controls to gain authenticated access to the site!

We did award 5 researchers a bounty for their research and reports (there were 12 reports, 7 invalid or out of scope). These reports will lead to several security hardening improvements to the TFA and basic TFA plugin modules. You can see the issues in these release trackers https://www.drupal.org/node/2241821 and https://www.drupal.org/node/2243871. Also, I tagged beta releases of the modules yesterday: TFA beta1 and Basic TFA plugins beta1. Follow the release trackers to catch updates on full stable releases and on any beta breaking changes.

Finally, we feel this was a successful endeavor that has increased our confidence in the TFA solution for use by drupal.org and anyone that wants to improve security measures for their Drupal site. Thanks very much to those who tested the site and especially to those who reviewed the code and sent us reports!

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: