Closed Bug 1736578 Opened 4 years ago Closed 4 years ago

2FA Bypass on Bugzilla.mozilla.org using IP rorate techniques similar to bruteforce.

Categories

(bugzilla.mozilla.org :: General, defect, P2)

Tracking

()

VERIFIED FIXED

People

(Reporter: Mahtoshivnath709, Assigned: dkl)

References

()

Details

(Keywords: reporter-external, sec-moderate, wsec-bruteforce, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

Hello There !

The Bugzilla 2FA endpoint/portal suffers from 2FA bypass using Ip Rotate technique.
At First When i tried to bruteforce the 6 digit code, I got Rate Limited. But when i sent the same request From Different Ip Address. The request got succeded. There are some awesome writeups regarding ip rotate techniques. This technique has been previously used on facebook, Instagram and Many more Programs on Hackerone too.
These are the Required resources to understand this issue.

https://hackerone.com/reports/819930
https://threatpost.com/researcher-bypasses-instagram-2fa/146466/
https://portswigger.net/bappstore/2eb2b1cb1cf34cc79cda36f0f9019874

The POC video of Bypassing 2FA has been attached along the report.
PS. Do Read those writeups to better understand this issue.

Thank You.
Best Regards.
Mozill Security Team

Flags: sec-bounty?
Severity: -- → S2
Type: task → defect
Priority: -- → P2

Explaination of the vulnerability.

The Bugzilla prevents from bruteforcing the 2FA codes with responding status code 429. Preventing users from same ip address accessing his/her account for upto hours. However, Such ip based Rate limiting can be bypassed using Ip varying Proxies. Those proxy rotates the request via their multiple proxies set up all over the world making the Original server hard to determine the original IP address of the Attacker/Client. This allows an attacker to send multiple request to the server despite of strict Rate limiting placed ahead.

Another thing i found was, The 2FA portal accepts Get request even though browser sends post request. This allows subsequent leveraging of application structure to send multiple GET request.

The Required file and POC link is submitted below.
requirements
Poc-Link

Thank You.
Best Regards
Mozilla Security Teams.

Aaryan9898: Could you please provide a text or script-based POC of the technique? Could you also provide a recommendation on how you believe this could be fixed? Could you also please not set the priority or severity on bugs, this is for internal use only.

Lastly, if you are going to include artifacts, please attach them to the bug, rather than hosting them on an external website.

Group: websites-security → bugzilla-security
Component: Other → General
Product: Websites → bugzilla.mozilla.org

(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #2)

Aaryan9898: Could you please provide a text or script-based POC of the technique? Could you also provide a recommendation on how you believe this could be fixed? Could you also please not set the priority or severity on bugs, this is for internal use only.

Thanks for responding.
The attachment was of larger size. So i have to upload it to cloud for easy access as stated by previous triager.

(In reply to Aaryan9898 from comment #4)

(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #2)

Aaryan9898: Could you please provide a text or script-based POC of the technique? Could you also provide a recommendation on how you believe this could be fixed? Could you also please not set the priority or severity on bugs, this is for internal use only.

Thanks for responding.
The attachment was of larger size. So i have to upload it to cloud for easy access as stated by previous triager.

Can you point me to where a prior triager gave you this guidance? Also, I expect the large file size to be a result attaching a video, and as I mentioned above, we don't accept video submissions as sufficient POC. Please provide a script or tooling POC to demonstrate the issue and we can try to repro on our end.

Severity: S2 → S3
Component: General → Infrastructure
Priority: P2 → P3

Patch to be applied.

At server side.

  1. There are two parameters recieved viz token and code at 2FA endpoint.
  2. server should allow only 5-10 request with similar token but different code value.
  3. When the request containing varying code value with similar user token more than 10 request.
  4. Server should reject it. This patch must work even though requested from different IP's.

Thanks.

This is partly between iprepd and application logic.

It probably makes sense to add rate limiting to 2FA in a way that separates it from the source IP.

Component: Infrastructure → General
Priority: P3 → P2

(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #5)

(In reply to Aaryan9898 from comment #4)

(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #2)

Aaryan9898: Could you please provide a text or script-based POC of the technique? Could you also provide a recommendation on how you believe this could be fixed? Could you also please not set the priority or severity on bugs, this is for internal use only.

Thanks for responding.
The attachment was of larger size. So i have to upload it to cloud for easy access as stated by previous triager.

Can you point me to where a prior triager gave you this guidance? Also, I expect the large file size to be a result attaching a video, and as I mentioned above, we don't accept video submissions as sufficient POC. Please provide a script or tooling POC to demonstrate the issue and we can try to repro on our end.

The Poc video contains the steps on reproduction of the issue using tools like Burpsuite etc.
How can i possibly submit it here on this report on.

(In reply to :glob 🎈 from comment #7)

This is partly between iprepd and application logic.

It probably makes sense to add rate limiting to 2FA in a way that separates it from the source IP.

you got the point.
Dear Triager.

Assignee: nobody → dkl
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attached patch 1736578.patchSplinter Review
Attachment #9246679 - Flags: review?(glob)
Comment on attachment 9246679 [details] [diff] [review] 1736578.patch Review of attachment 9246679 [details] [diff] [review]: ----------------------------------------------------------------- ::: Bugzilla.pm @@ +794,4 @@ > } > my $full_limit = join("/", @$limit); > Bugzilla->audit( > + "[rate_limit] action=$action, ip=$ip, identifier=$identifier limit=$full_limit, name=$name"); nit: this should be `identifier=$identifier,` (missing the trailing comma)
Attachment #9246679 - Flags: review?(glob) → review+

Merged to master and deploying today. Opening bug since fix is in repo.
https://github.com/mozilla-bteam/bmo/commit/a2caf6e00e42993674b54051cc407021fd833e53

Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED

Aaryan: Could you make an attempt to verify this fix and see if it addresses the gap you raised?

Flags: needinfo?(Mahtoshivnath709)

(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #13)

Aaryan: Could you make an attempt to verify this fix and see if it addresses the gap you raised?

Hi @claudijd sir.
I tried to replicate the issue with multiple proxies but failed.
The server reponds with 'Rate Limit Exceeds' response even the 2FA code is correct while bruteforcing from different IP Addresses. The patch is preventing the Bugzilla application from 2FA Bruteforce attack.
Thanks For Patching.

Best Regards.
Mozilla Security Team.

Flags: needinfo?(Mahtoshivnath709)

Thanks for the verification Aaryan.

Please change the report to status:verified.

Status: RESOLVED → VERIFIED

Hello There !
Any update over this report ?

Aaryan: the issue is fixed, so our bounty team will evaluate the bounty decision within the next week.

Bounty team met today, missing a few folks, going to pick this up next week when we have more people to discuss.

Hello there !
Any upate over this report ?

Aaryan: We are meeting today to catch up on bounty stuff, as noted in comment 19, we were missing a few folks last week and wanted more discussion before making a decision.

Thanks @claudijd

Flags: sec-bounty? → sec-bounty+

Awesome team.....!!!!!
Thanks for the awesome bounty............!!!!!!!!
Loved hacking on mozilla..........!!!!!!!
Best Regards
Mozilla Security Teams

Please look at my report #1728066

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: