2FA Bypass on Bugzilla.mozilla.org using IP rorate techniques similar to bruteforce.
Categories
(bugzilla.mozilla.org :: General, defect, P2)
Tracking
()
People
(Reporter: Mahtoshivnath709, Assigned: dkl)
References
()
Details
(Keywords: reporter-external, sec-moderate, wsec-bruteforce, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(1 file)
|
1.92 KB,
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
Hello There !
The Bugzilla 2FA endpoint/portal suffers from 2FA bypass using Ip Rotate technique.
At First When i tried to bruteforce the 6 digit code, I got Rate Limited. But when i sent the same request From Different Ip Address. The request got succeded. There are some awesome writeups regarding ip rotate techniques. This technique has been previously used on facebook, Instagram and Many more Programs on Hackerone too.
These are the Required resources to understand this issue.
https://hackerone.com/reports/819930
https://threatpost.com/researcher-bypasses-instagram-2fa/146466/
https://portswigger.net/bappstore/2eb2b1cb1cf34cc79cda36f0f9019874
The POC video of Bypassing 2FA has been attached along the report.
PS. Do Read those writeups to better understand this issue.
Thank You.
Best Regards.
Mozill Security Team
| Reporter | ||
Updated•4 years ago
|
| Reporter | ||
Comment 1•4 years ago
|
||
Explaination of the vulnerability.
The Bugzilla prevents from bruteforcing the 2FA codes with responding status code 429. Preventing users from same ip address accessing his/her account for upto hours. However, Such ip based Rate limiting can be bypassed using Ip varying Proxies. Those proxy rotates the request via their multiple proxies set up all over the world making the Original server hard to determine the original IP address of the Attacker/Client. This allows an attacker to send multiple request to the server despite of strict Rate limiting placed ahead.
Another thing i found was, The 2FA portal accepts Get request even though browser sends post request. This allows subsequent leveraging of application structure to send multiple GET request.
The Required file and POC link is submitted below.
requirements
Poc-Link
Thank You.
Best Regards
Mozilla Security Teams.
Comment 2•4 years ago
|
||
Aaryan9898: Could you please provide a text or script-based POC of the technique? Could you also provide a recommendation on how you believe this could be fixed? Could you also please not set the priority or severity on bugs, this is for internal use only.
Comment 3•4 years ago
|
||
Lastly, if you are going to include artifacts, please attach them to the bug, rather than hosting them on an external website.
Updated•4 years ago
|
| Reporter | ||
Comment 4•4 years ago
|
||
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #2)
Aaryan9898: Could you please provide a text or script-based POC of the technique? Could you also provide a recommendation on how you believe this could be fixed? Could you also please not set the priority or severity on bugs, this is for internal use only.
Thanks for responding.
The attachment was of larger size. So i have to upload it to cloud for easy access as stated by previous triager.
Comment 5•4 years ago
|
||
(In reply to Aaryan9898 from comment #4)
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #2)
Aaryan9898: Could you please provide a text or script-based POC of the technique? Could you also provide a recommendation on how you believe this could be fixed? Could you also please not set the priority or severity on bugs, this is for internal use only.
Thanks for responding.
The attachment was of larger size. So i have to upload it to cloud for easy access as stated by previous triager.
Can you point me to where a prior triager gave you this guidance? Also, I expect the large file size to be a result attaching a video, and as I mentioned above, we don't accept video submissions as sufficient POC. Please provide a script or tooling POC to demonstrate the issue and we can try to repro on our end.
| Reporter | ||
Comment 6•4 years ago
|
||
Patch to be applied.
At server side.
- There are two parameters recieved viz token and code at 2FA endpoint.
- server should allow only 5-10 request with similar token but different code value.
- When the request containing varying code value with similar user token more than 10 request.
- Server should reject it. This patch must work even though requested from different IP's.
Thanks.
This is partly between iprepd and application logic.
It probably makes sense to add rate limiting to 2FA in a way that separates it from the source IP.
| Reporter | ||
Comment 8•4 years ago
|
||
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #5)
(In reply to Aaryan9898 from comment #4)
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #2)
Aaryan9898: Could you please provide a text or script-based POC of the technique? Could you also provide a recommendation on how you believe this could be fixed? Could you also please not set the priority or severity on bugs, this is for internal use only.
Thanks for responding.
The attachment was of larger size. So i have to upload it to cloud for easy access as stated by previous triager.Can you point me to where a prior triager gave you this guidance? Also, I expect the large file size to be a result attaching a video, and as I mentioned above, we don't accept video submissions as sufficient POC. Please provide a script or tooling POC to demonstrate the issue and we can try to repro on our end.
The Poc video contains the steps on reproduction of the issue using tools like Burpsuite etc.
How can i possibly submit it here on this report on.
| Reporter | ||
Comment 9•4 years ago
|
||
(In reply to :glob 🎈 from comment #7)
This is partly between
iprepdand application logic.It probably makes sense to add rate limiting to 2FA in a way that separates it from the source IP.
you got the point.
Dear Triager.
| Assignee | ||
Updated•4 years ago
|
| Assignee | ||
Comment 10•4 years ago
|
||
Comment 11•4 years ago
|
||
| Assignee | ||
Comment 12•4 years ago
|
||
Merged to master and deploying today. Opening bug since fix is in repo.
https://github.com/mozilla-bteam/bmo/commit/a2caf6e00e42993674b54051cc407021fd833e53
Comment 13•4 years ago
|
||
Aaryan: Could you make an attempt to verify this fix and see if it addresses the gap you raised?
| Reporter | ||
Comment 14•4 years ago
|
||
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #13)
Aaryan: Could you make an attempt to verify this fix and see if it addresses the gap you raised?
Hi @claudijd sir.
I tried to replicate the issue with multiple proxies but failed.
The server reponds with 'Rate Limit Exceeds' response even the 2FA code is correct while bruteforcing from different IP Addresses. The patch is preventing the Bugzilla application from 2FA Bruteforce attack.
Thanks For Patching.
Best Regards.
Mozilla Security Team.
Comment 15•4 years ago
|
||
Thanks for the verification Aaryan.
| Reporter | ||
Comment 16•4 years ago
|
||
Please change the report to status:verified.
| Reporter | ||
Comment 17•4 years ago
|
||
Hello There !
Any update over this report ?
Comment 18•4 years ago
|
||
Aaryan: the issue is fixed, so our bounty team will evaluate the bounty decision within the next week.
Comment 19•4 years ago
|
||
Bounty team met today, missing a few folks, going to pick this up next week when we have more people to discuss.
| Reporter | ||
Comment 20•4 years ago
|
||
Hello there !
Any upate over this report ?
Comment 21•4 years ago
|
||
Aaryan: We are meeting today to catch up on bounty stuff, as noted in comment 19, we were missing a few folks last week and wanted more discussion before making a decision.
| Reporter | ||
Comment 22•4 years ago
|
||
Thanks @claudijd
Updated•4 years ago
|
| Reporter | ||
Comment 23•4 years ago
|
||
Awesome team.....!!!!!
Thanks for the awesome bounty............!!!!!!!!
Loved hacking on mozilla..........!!!!!!!
Best Regards
Mozilla Security Teams
Please look at my report #1728066
Updated•4 years ago
|
| Assignee | ||
Updated•2 years ago
|
Description
•