CTF. I-Bank. Logical Flaws in a PHP banking application. FluxReiners

Size: px

Start display at page:

Download "CTF. I-Bank. Logical Flaws in a PHP banking application. FluxReiners"

Asher Maxwell
6 years ago
Views:

1 Logical Flaws in a PHP banking application FluxReiners

2 Final CTF phase: Exploitation 2/38

3 Setup: one bank per team with the same banking app 3 bank accounts per bank SSH access to own bank server (incl. PHP src) 4 donation accounts: Anonymous LulzSec Offshore of Potato Fund for French Fries Welfare 3/38

4 Goal: Protect own bank accounts (patch Logical Flaws) Own other bank accounts and transfer money to the donation accounts from them Timeline (theoretically): 4h create patches/exploits 1h orga check Penalty points for defects 1h attack phase 4/38

5 application 5/38

6 mysql> select * from users; id login password... recovery_password user_type otp_type N basic smart_token Ib5frg... Y contractor card gJgff... N contractor no mysql> select * from accounts; id user_id number sum /38

7 Preparation: Captcha Breaking 7/38

8 8/38

9 <img src="image.php?code=pufet3pxre4="> login=&password=&code=48380&_code=pufet3pxre4= Copy/paste to exploits Automatic login 9/38

10 User Enumeration 10/38

11 Attack 1: Weak Password Recovery Key 11/38

12 mysql> select * from users; id login password... recovery_password user_type otp_type N basic smart_token Ib5frg... Y contractor card gJgff... N contractor no mysql> select * from recovery; Empty set (0.10 sec) 12/38

13 Request reset key: user = $_POST["login"] Check, if recovery_password = 'Y' Check, if no reset key already requested (DB) Mail reset key to user insert into recovery (login, key) 13/38

14 mysql> select * from recovery; login key de01d74a564f45c7189a5e6c251bf36c /38

15 Insert reset key user = $_POST["login"], key = $_POST["key"] Check, if user+key combination in recovery table generate new password and change password for user Print new password 7 chars 15/38

16 mysql> select * from recovery; login key de01d74a564f45c7189a5e6c251bf36c $key = md5( $login. rand(1, 250) ); 16/38

17 mysql> select * from users; id login password... recovery_password user_type otp_type N basic smart_token Ib5frg... Y contractor card gJgff... N contractor no /38

18 Supplied OTP is checked against the database (status = clear used) OTP statically generated for known user id 18/38

19 Attack 2: Weak Session Token 19/38

20 mysql> select * from users; id login password... recovery_password user_type otp_type N basic smart_token Ib5frg... Y contractor card gJgff... N contractor no mysql> select * from sessions; user_id salt expire y82lr ju6t rows in set (0.00 sec) 20/38

21 salt contains 5 random alphanumerical chars [a-z0-9] 21/38

22 numerical CRC32 checksum of length 10 Is shortened to length 4 22/38

23 Less than 10 4 = possibilities 23/38

24 Cookie: auth= Bruteforce Transactions can be done without OTP check (otp_type=no) 24/38

25 Attack 3: Weak Passwords + Helpdesk Authentication Bypass 25/38

26 mysql> select * from users; id login password... recovery_password user_type otp_type N basic smart_token Ib5frg... Y contractor card gJgff... N contractor no mysql> select * from accounts; id user_id number sum /38

27 Helpdesk 27/38

28 mysql> select * from helpdesk_users; Empty set (0.00 sec) mysql> insert into helpdesk_users values( 0, 'admin', sha1('foobar'), 'admin@ibank.ru', 'foo', 'bar'); Query OK, 1 row affected (0.04 sec) mysql> select * from helpdesk_users; id login password first_name last_name admin 356a19... admin@bank.ru foo bar row in set (0.00 sec) 28/38

29 29/38

30 30/38

31 Todo: OTP Bypass 31/38

32 numerical random OTP of length 5, 10 5 = , bruteforce 32/38

33 Transfer- Formular Account- Check OTP- Check Transaction Jump from step2 to step4, bypass OTP check in step3 (also works for TransactionB of user , otp_type=card) 33/38

34 Summary 34/38

35 login User properties password recovery user type otp type weak passwd password recovery attacks weak session otp bypass N basic smart x x Y contractor card x x x x N contractor no x x - 35/38

36 login User properties password recovery user type otp type weak passwd password recovery attacks weak session otp bypass N basic smart Y contractor card - 3/12-3/ N contractor no - 0/12 PPP (4.) Tachikoma (9.) 0daysober (2.) 36/38

37 Timeline (practically): Organizers are going to attack However we found no foreign attacks in our logs 20 RUB / account, RUB / bank Account reset after 15min (new money) Attack phase ended after 30min FluxFingers was the only team stealing money however 40 / = negl No attack points for us, no minus points for others =( 37/38

38 Thank you for your attention Thank you GDATA for making our trip to Moscow possible 38/38

How to Integrate. REVE Secure 2FA App. with Dashboard.

How to Integrate. REVE Secure 2FA App. with Dashboard. How to Integrate REVE Secure 2FA App with Dashboard REVE Secure Software Token supports widely deployed mobile platforms like ios, Android, Windows, etc. and uses time-based algorithm to support 2FA. This