[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DUO Security push Timing Attack
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: DUO Security push Timing Attack
- From: jpierini@xxxxxxxxx
- Date: Thu, 18 Jun 2015 19:45:30 GMT
DUO ?push? Timing Attack
PSC Risk Assessment
CVSS 7.3, (AV:N/AC:L/Au:M/C:C/I:N/A:C/E:F/RL:ND/RC:ND)
Description
Duo ?push? authentications are susceptible to a low-profile timing-based attack
that permits an intruder to steal an authenticated session from an end-user
accessing Duo-protected resources. Specifically, when multiple ?push?
notifications arrive simultaneously (or nearly so), only the final one is shown
to the user. When the user authenticates that notification, only the
corresponding session will actually be authenticated. If an attacker can
initiate an equivalent connection slightly after the client?s session, then the
user will typically authorize the malicious session rather than his or her own.
Proof of Concept
PSC has created a software agent that targets Duo ?push? authentications for
remote desktop (RDP) services. This agent collects the client system?s netstat
information twenty or more times per second, looking for outbound connections
to the Duo-protected resource.
Once detected, the agent then monitors the RDP connection to determine when the
desktop has been created and the ?push? notification has been sent. The agent
then sends a notification across the network to the attacker?s system, where
another agent immediately initiates another connection to the RDP service.
Since the malicious session begins slightly after the client?s legitimate
session (typically less than one second), the victim?s mobile device will
display a single ?push? notification representing the malicious session, rather
than the legitimate one. The user will likely authorize (since a mobile
authorization is expected).
The attacker?s system gains an authenticated session, while the victim?s
session times out. In practical execution, most users will assume that there
was a glitch of some sort, and try again without recognizing the security
import of the failed connection. The timeout provides sufficient opportunity
for a prepared attacker to make use of the stolen session (consider also that
an attacker may target another RDP server or the RDP console session, and thus
produce two simultaneous, valid RDP sessions).
Preconditions
The intruder must possess the following in order to carry out this attack:
1. Knowledge of the credentials used by the victim when accessing the
resource.
a. This can usually be obtained by keylogging, collection of
password vaults, file shares, etc.
2. The ability to execute code on the victim?s system.
 
Configurations Affected
? Duo Security Authentication Proxy 2.4.8
? Duo Win Login 1.1.8
PSC?s current software agent is designed specifically for remote desktop (RDP).
This design can be adapted to target other services, such as web applications,
VPNs, etc. The key observation is that the malicious agent must be able to
determine with reasonable precision (within one second) when the ?push?
notification has been initiated.
Also, this attack assumes that ?push? notifications are used for
authentications. If the user prefers the numeric entry method, this type of
attack will not work. That said, there are practical attacks against keyboard
entry as well, so this should not be considered a secure workaround or
alternative.
Research Credit
Josh Stone, PSC Penetration Tester
Patrick Fussell, PSC Penetration Tester
Timeline
2015-02-04 Successful proof of concept
2015-02-13 Disclosure submitted to security@xxxxxxxxxxxxxxx
2015-02-25 Vendor Confirmation of Vulnerability
2015-06-08 Vendor Fix Released:
https://www.duosecurity.com/blog/raising-the-bar-anomaly-detection