DUO Security push Timing Attack

[jpierini () paysw com]

DUO “push” Timing Attack

PSC Risk Assessment
CVSS 7.3, (AV:N/AC:L/Au:M/C:C/I:N/A:C/E:F/RL:ND/RC:ND)

Description
Duo “push” authentications are susceptible to a low-profile timing-based attack that permits an intruder to steal an 
authenticated session from an end-user accessing Duo-protected resources.  Specifically, when multiple “push” 
notifications arrive simultaneously (or nearly so), only the final one is shown to the user.  When the user 
authenticates that notification, only the corresponding session will actually be authenticated.  If an attacker can 
initiate an equivalent connection slightly after the client’s session, then the user will typically authorize the 
malicious session rather than his or her own.

Proof of Concept
PSC has created a software agent that targets Duo “push” authentications for remote desktop (RDP) services.  This agent 
collects the client system’s netstat information twenty or more times per second, looking for outbound connections to 
the Duo-protected resource.  

Once detected, the agent then monitors the RDP connection to determine when the desktop has been created and the “push” 
notification has been sent.  The agent then sends a notification across the network to the attacker’s system, where 
another agent immediately initiates another connection to the RDP service.
Since the malicious session begins slightly after the client’s legitimate session (typically less than one second), the 
victim’s mobile device will display a single “push” notification representing the malicious session, rather than the 
legitimate one.  The user will likely authorize (since a mobile authorization is expected).

The attacker’s system gains an authenticated session, while the victim’s session times out.  In practical execution, 
most users will assume that there was a glitch of some sort, and try again without recognizing the security import of 
the failed connection.  The timeout provides sufficient opportunity for a prepared attacker to make use of the stolen 
session (consider also that an attacker may target another RDP server or the RDP console session, and thus produce two 
simultaneous, valid RDP sessions).

Preconditions
The intruder must possess the following in order to carry out this attack: 
1.      Knowledge of the credentials used by the victim when accessing the resource.
      a.        This can usually be obtained by keylogging, collection of password vaults, file shares, etc.
2.      The ability to execute code on the victim’s system.

 
Configurations Affected
•       Duo Security Authentication Proxy 2.4.8
•       Duo Win Login 1.1.8

PSC’s current software agent is designed specifically for remote desktop (RDP).  This design can be adapted to target 
other services, such as web applications, VPNs, etc.  The key observation is that the malicious agent must be able to 
determine with reasonable precision (within one second) when the “push” notification has been initiated.  

Also, this attack assumes that “push” notifications are used for authentications.  If the user prefers the numeric 
entry method, this type of attack will not work.  That said, there are practical attacks against keyboard entry as 
well, so this should not be considered a secure workaround or alternative.


Research Credit
Josh Stone, PSC Penetration Tester
Patrick Fussell, PSC Penetration Tester

Timeline
2015-02-04      Successful proof of concept 
2015-02-13      Disclosure submitted to security () duosecurity com 
2015-02-25      Vendor Confirmation of Vulnerability
2015-06-08      Vendor Fix Released: https://www.duosecurity.com/blog/raising-the-bar-anomaly-detection