Her0in · 2015/11/17 11:02
Recently, foreign security researcher Gabor published two articles about how to use the Network Time Protocol (NTP) based authentication algorithm defects bypass WordPress login authentication. These two articles respectively describe the flaws in ntP-based authentication algorithms and how to exploit them to bypass WordPress login authentication, as well as POC and related tools. The following is a summary of the two articles. 😉
0x00 Introduction to Google Authenticator authentication algorithm for WordPress plug-in
You can learn about NTP here.
TOTP algorithm based on NTP
Let’s take Google Authenticator, a plugin for WordPress, as an example to illustrate the implementation details of a common token generator that generates one-time passwords (TOTP).
As shown in the figure below, the program will use a key seed TOTP algorithm with the time stamp of the current server to obtain a 6-digit Token, which will be changed every 30 seconds. In fact, this is the common “dynamic password”.
The problem with this dynamic password generation process is that the same dynamic password is generated every time the same key seed and timestamp combination is used. However, the key seed is an invariant and uncontrollable in the attack, so as long as the timestamp is controlled, the dynamic password corresponding to any timestamp can be generated.
Figure 1: NTP-based TOTP algorithm
Attack by changing the server clock
At present, many networks using NTP do not encrypt and verify the NTP transmission process. Therefore, an attacker can modify the data transmitted by NTP to perform a man-in-the-middle attack, providing the NTP client with a forged timestamp. Gabor mentions several earlier articles and tools for NTP security research.
- Delorean is a tool that can send forged timestamps to NTP clients.
- Attacking the Network Time Protocol This article provides several other attack vectors against NTP.
- Jose Selvi’s Presentation at DEF CON 23 is a video about NTP research in DEF CON 23.
Combined with the above tools and a variety of man-in-the-middle attack techniques, the remote server clock can be controlled through NTP.
An NTPD service that sets the time on Unix will not accept a forged false timestamp, so it cannot perform a timestamp forgery attack. However, it can be combined with the CVE-2015-5300 vulnerability to attack.
Another way to set the time is ntpDate. This setup is very simple and is recommended in the Ubuntu Wiki. Therefore, this method of time setting is used in many places. You can set it up by referring to the official manual and this blog post.
The setup is extremely simple by running ntpdate
in corntab. But it is worth noting that nTPDate will accept any data stream from the NTP service! .
Several well-known open source projects such as Yocto Project, OpenWRT, Startups, and countless configuration scripts hosted on GitHub, as well as more than 50,000 Docker users and even VPS providers, use NTPDate for time synchronization Settings.
It was suggested back in 2002 that running NtpDate using Corntab was not a good idea.
0x01 Bypassing WordPress login authentication
With the above description, let’s summarize the existing conditions for attacking NTP:
- Both NTPD and NTPDate are vulnerable to MITM attacks
- Tools already exist to attack NTP
- You can control and modify the timestamp of the TOTP algorithm
Google Authenticator, a plugin in WordPress, enables two-factor authentication for WordPress background logins. As shown below:
Figure 2: The Google Authenticator plug-in turns on two-factor authentication for WordPress background logins
Because you can use the man-in-the-middle attack to set the server time to the specified time, you can use brute force to crack the dynamic password. It takes about a million attempts at the most.
Attack test
Set up the following network environment:
- Three Ubuntu VMS
- Delorean NTP server
- WordPress v4.3.1 and install Google Authenticator plug-in v3.8.11
- Dual Verification Blast tool WPBiff (supports Google Authenticator and WP Google Authenticator plug-in)
The entire network is very simple, and all three Ubuntu VMS need to be on the same subnet. As shown below:
Figure 3: Setting up the attack network environment
To simulate a man-in-the-middle attack to tamper with NTP transmission data, we first need to modify the /etc/hosts file of the WordPress server, as shown in the following figure:
Figure 4: Modifying the /etc/hosts file
Second, let’s assume that the administrator uses scheduled tasks to synchronize time every minute (as many people do), as shown below:
Figure 5: The administrator synchronizes the time every minute
We then execute Delorean with a preset time as an argument, while the WordPress server still synchronizes the time every minute.
Figure 6: Delorean is executed with a preset time as an argument
Now we are running WPBiff in another virtual machine, the attacker’s machine. Set the WordPress background login username and password and the same timestamp as above as the running parameters. As shown below:
Figure 7: Run WPBiff to start the attack
After running WPBiff for 39 minutes, the successful blasting of 6-digit pure digital dynamic password and effective session cookies for logging in to WordPress background are also dumped. As shown below:
Figure 8: Dynamic password successfully exploded
Because the plugin does not allow the reuse of dynamic passwords, you can use session cookies dumped to log in to the WordPress background directly. In three additional tests, it took another 51 minutes, 57 minutes, and 83 minutes to burst the dynamic passwords.
Figure 9: Successfully logged in to the WordPress background
0x02 Reference & reference
- Blog. Gaborszathmari. Me / 2015/11/11 /…
- Blog. Gaborszathmari. Me / 2015/11/11 /…