Open event server has an token encryption-oracle leading to email verification bypass

open-event-server-encryption-oracle.md

Open event server has an token encryption-oracle leading to email verification bypass

Summary

Open event server has a token encryption-oracle, by leveraging which attackers can craft any email address' verification token, leading to email verification bypass.

Vulnerability Analysis

What is Encryption Oracle Attack

Encryption Oracle Attack is a new threat surface and variant of well-known padding-oracle attack.

Definition of Encryption Oracle

In the web security field, an encryption or cryptographic function falls into the definition of encryption oracle when an user serves as both input and output data source of it.

Encryption Oracle Attack

There are three essential threat vectors in an web application that can introduce disasterous consequences and compose as a hotbed for an encryption oracle attack.

• Encryption Oracle Function: A function that serves as both input and output data source of an encryption or cryptographic function exists in the web application.
• Secret key reuse: A secret key used in the encryption oracle function is reused for different encryption operations of highly sensitive purposes, such as email verification token generation.
• Encryption scheme reuse: The encryption/cryptographic scheme used for sensitive operations is the same as the one used for the encryption oracle function.

With the three essential threat vectors, an attacker can potentially craft any authenticated encryption messages and carry them into sensitive APIs without knowning the secret key itself.

Vulnerability Analysis of Open Event Server

The encryption oracle in Open Event Server is identified in the send_email_change_user_email function, where user's old email address get signed by HMAC-SHA1 with the app secret key and serves as an email change token sent to the user's new email address.

However, the Open Event Server also uses the same encryption scheme and the secret key to generate email verification tokens.

Therefore, attackers can first register an email-to-compromise, say admin@gov.gov, initially in unverified status. Then by changing the email address to their own one, attackers are able to obtain an email verification token that can be used to verify the email address admin@gov.gov that does not belong to them.

Proof of Concept

• Attacker register an email-to-compromise, say admin@gov.gov, which initially is unverified status.

  • register-image
  • unverified-status-image

• Attacker change the email from admin@gov.gov to its own email, say jiacheng@2h0ng.wiki. An email update link will be sent to attacker's email.

  • change-email-image
  • email-update-link-image

• Attacker change the email back to admin@gov.gov, then craft and accesses the email verification link with the token in the update link: http://proof-of-concept:4200/verify?token=WyJhZG1pbkBnb3YuZ292IiwgIkFUUzg2TyJdLkRoSFhpSWk5aF9TRXVyblhrQWdTaXpJeHhLdw%3D%3D. We will see attacker successfully verify their email address as admin@gov.gov!

  • email-change-back-image
  • verified-successfully-image
  • verified-email-profile-image

Mitigation

• Use different secret keys for different cryptographic operations.
• Add a unique salt to different cryptographic operations.