- Vulnerability Type: Multi-Factor Authentication (MFA) Bypass via Execution Manipulation in CAS
- Status: Unpatched
- Path:
/login?service=
The web application allows the reuse of an execution generated during the authentication process, which enables bypassing critical validation steps, such as credential verification, CAPTCHA, and OTP code entry. The execution generated after the OTP input can be captured from a valid session and reused in subsequent login attempts, allowing an attacker to bypass all required authentication steps and gain direct access to the application without providing valid credentials or an OTP.
This enables attackers to compromise the authentication process, facilitating unauthorized access to the application without the need for valid credentials or OTP verification. This could result in the compromise of user accounts, including privileged accounts, and expose the system to further attacks, such as data theft, information manipulation, and malicious actions within the authenticated environment.
During the authentication process, password, CAPTCHA validation, and an OTP code generated by CAS (Central Authentication Service) are required.
Using a tool like Burp Suite to monitor requests, the following flow is observed:
- The client performs a
POST /login?service=https%3A%2F%2Fsmtplw.com.br%2Fusers%2Fservice HTTP/1.1, which generates an execution.
For the OTP, the application sends the execution generated from the provided credentials and returns a second execution in the response:
Subsequent requests are used only for device registration and redirection to the requested application. It was identified that the execution generated after the OTP input can be reused to bypass both credential and OTP verification steps.
If this execution is captured from a valid session, it can be reused to bypass the entire CAS validation process, including credential verification, CAPTCHA, and OTP. Even when entering invalid credentials, such as a nonexistent username or password, it is possible to inspect the response with Burp Suite and manipulate the request by inserting the captured execution. This way, the attacker would be redirected to the application without proper authentication validation.
After response manipulation:
The application correctly validates credentials and CAPTCHA before requesting the OTP. However, by manipulating the response with a valid execution, it is possible to bypass these validations, including the OTP verification. The user is then redirected to the device registration screen and subsequently to the requested application, without completing the required authentication steps.
- Account Takeover: Attackers could bypass the MFA requirement, gaining unauthorized access to user accounts and sensitive information.
- Privilege Escalation: Once authenticated, attackers could access restricted areas or perform actions at a higher privilege level.
- Data Breach Risk: Unauthorized access may lead to data exposure, with attackers viewing, modifying, or deleting sensitive data.
- Compliance Violation: Security regulations requiring MFA could be violated, leading to potential legal and compliance issues.
- Reputational Damage: Bypassing MFA reduces trust in the application’s security measures, as users may perceive it as vulnerable to targeted attacks.
- Strict MFA Enforcement: Ensure MFA validation is consistently enforced across all entry points, and any modifications to the authentication flow require MFA re-authentication.
- Request Validation Tokens: Use request-specific tokens that verify MFA completion at each sensitive action, ensuring it was validated by the user.
- Session Binding: Bind MFA status to session attributes, preventing attackers from altering session state to bypass MFA requirements.
- Monitoring and Alerts: Implement logging and monitoring for suspicious access patterns, such as attempts to bypass MFA, and alert administrators of potential exploitation.
- Regular Security Testing and Auditing: Conduct penetration tests and audits focusing on MFA integrity, especially in the CAS flow, to detect and fix bypass vulnerabilities.