oss-sec mailing list archives

CVE Request: MITM & Shoulder-surfing vuln in Ruby OTP/HOTP/TOTP library "ROPT"

From: Justin Bull <me () justinbull ca>
Date: Sat, 20 Jun 2015 17:12:27 -0400

Hello,

Please excuse me if I’m doing this incorrectly, this is my first time attempting to acquire a CVE ID for a discovered 
vulnerability.

NOTE: I have already sent a similar email to MITRE requesting a CVE ID, but been advised to submit here as well (then 
cancel the request to MITRE, since those poor folks deal with thousands of requests).


== Affected Software: ==

The Ruby One Time Password Library (https://github.com/mdp/rotp)

A ruby library for generating one time passwords (HOTP & TOTP) according to RFC 4226 and RFC 6238.

ROTP is compatible with the Google Authenticator available for Android and iPhone.


== Type of Attack: ==

- Man in The Middle
- Shoulder Surfing


== Versions affected: ==

All versions.


== Description of Vulnerability: ==

The TOTP feature of the software is not fully compliant with Section 5.2 of RFC 6238[1] and does not “burn” a 
successfully validated OTP.

When the provider sends a valid OTP to the verifier, the verify must not accept subsequent submissions of the same OTP 
in that given time step. That is, in order to maintain the “One-Time” aspect of a One-Time Password, it can be used 
once and only once.


== Impact / Attack: ==

In a two-factor authentication context, an attacker could Man-in-The-Middle the connection between the verifier and 
provider, obtain the username, password, & OTP values, and log in with the credentials within the current time step (a 
30 second window, if defaults are used). Arguably, this defeats the two-factor authentication since the OTP can be 
replayed multiple times.

Alternatively, an attacker could “shoulder surf” the victim’s second factor device in lieu of compromising the 
connection.

This information has been captured in the bug report to the maintainer of ROTP[2].


== Solution: ==

None yet, the fix[3] is not merged into codebase and not released.


== Acknowledgements: ==

Thanks to Viliam Holub (https://github.com/vilda) for originally tipping me off to the RFC non-compliance in software 
that utilizes the ROTP library[4].


== References:==

[1]: https://tools.ietf.org/html/rfc6238#section-5.2
[2]: https://github.com/mdp/rotp/issues/44
[3]: https://github.com/mdp/rotp/pull/45
[4]: https://github.com/tinfoil/devise-two-factor/issues/30


Best Regards,

Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Current thread:

CVE Request: MITM & Shoulder-surfing vuln in Ruby OTP/HOTP/TOTP library "ROPT" Justin Bull (Jun 20)
- Re: CVE Request: MITM & Shoulder-surfing vuln in Ruby OTP/HOTP/TOTP library "ROPT" - ROTP cve-assign (Jun 21)
  - Re: CVE Request: MITM & Shoulder-surfing vuln in Ruby OTP/HOTP/TOTP library "ROPT" - ROTP Justin Bull (Jun 21)
    - Re: CVE Request: MITM & Shoulder-surfing vuln in Ruby OTP/HOTP/TOTP library "ROPT" - ROTP cve-assign (Jun 22)