An attacker may take advantage of the application feature to help users
recover their forgotten passwords in order to gain access into the system
with the same privileges as the original user. Generally password recovery
schemes tend to be weak and insecure. Most of them use only one security
question . For instance, mother's maiden name tends to be a fairly popular
one. Unfortunately in many cases this information is not very hard to find,
especially if the attacker knows the legitimate user.
These generic security questions are also re-used across many
applications, thus making them even more insecure. An attacker could for
instance overhear a coworker talking to a bank representative at the work
place and supplying their mother's maiden name for verification purposes. An
attacker can then try to log in into one of the victim's accounts, click on
"forgot password" and there is a good chance that the security question
there will be to provide mother's maden name.
A weak password recovery scheme totally undermines the effectiveness of a
strong password scheme.
Attack Execution Flow
Understand the password recovery mechanism and how
it works.
Find a weakness in the password recovery mechanism
and exploit it. For instance, a weakness may be that
a standard single security question is used with an
easy to determine answer.
Attack Prerequisites
The system allows users to recover their passwords and gain access back
into the system.
Password recovery mechanism has been designed or implemented
insecurely.
Password recovery mechanism relies only on something the user knows and
not something the user has.
No third party intervention is required to use the password recovery
mechanism.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Brute Force
API Abuse
Injection
Examples-Instances
Description
An attacker clicks on the "forgot password" and is presented with a
single security question. The question is regarding the name of the
first dog of the user. The system does not limit the number of attempts
to provide the dog's name. An attacker goes through a list of 100 most
popular dog names and finds the right name, thus getting the ability to
reset the password and access the system.
Description
phpBanner Exchange is a PHP script (using the mySQL database) that
facilitates the running of a banner exchange without extensive knowledge
of PHP or mySQL.
A SQL injection was discovered in the password recovery module of the
system that allows recovering an arbitrary user's password and taking
over his account. The problem is due to faulty input sanitization in the
phpBannerExchange, specifically the e-mail address of the user which is
requested by the password recovery module.
The e-mail address requested by the password recovery module on the
resetpw.php page. That e-mail address is validated with the following
regular expression:
A bug in the implementation of eregi() allows to pass additional
character using a null byte "\0". Since eregi() is implemented in C, the
variable $email is treated as a zero-terminated string. All characters
following the Null Byte will not be recognized by the gular expression.
So an e-mail address can be provided that includes the special character
" ' " to break the SQL query below (and it will not be rejected by the
regular expression because of the null byte trick). So a SQL injection
becomes possible:
$get_info=mysql_query("select * from banneruser where
email='$email' ");
This query will return a non-zero result set even though the email
supplied (attacker's email) is not in the database.
Then a new password for the user is generated and sent to the $email
address, an e-mail address controlled by the attacker. An attacker can
then log in into the system.
Related Vulnerabilities
CVE-2006-3013
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
Brute force attack
Skill or Knowledge Level: Medium
Social engineering and more sophisticated technical attacks.
Resources Required
For a brute force attack one would need a machine with sufficient CPU, RAM and
HD.
Probing Techniques
Trial and error (brute force).
Social Engineering.
Indicators-Warnings of Attack
Many incorrect attempts to answer the security question.
Solutions and Mitigations
Use multiple security questions (e.g. have three and make the user answer
two of them correctly). Let the user select their own security questions or
provide them with choices of questions that are not generic.
E-mail the temporary password to the registered e-mail address of the user
rather than letting the user reset the password online.
Ensure that your password recovery functionality is not vulnerable to an
injection style attack.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
