DUO Security push Timing Attack

From: jpierini@paysw.com
To: bugtraq@securityfocus.com
Subject: DUO Security push Timing Attack

DUO \u201cpush\u201d Timing Attack

PSC Risk Assessment

Duo \u201cpush\u201d authentications are susceptible to a low-profile timing-based attack that permits an intruder to steal an authenticated session from an end-user accessing Duo-protected resources.  Specifically, when multiple \u201cpush\u201d notifications arrive simultaneously (or nearly so), only the final one is shown to the user.  When the user authenticates that notification, only the corresponding session will actually be authenticated.  If an attacker can initiate an equivalent connection slightly after the client\u2019s session, then the user will typically authorize the malicious session rather than his or her own.

Proof of Concept
PSC has created a software agent that targets Duo \u201cpush\u201d authentications for remote desktop (RDP) services.  This agent collects the client system\u2019s netstat information twenty or more times per second, looking for outbound connections to the Duo-protected resource.  

Once detected, the agent then monitors the RDP connection to determine when the desktop has been created and the \u201cpush\u201d notification has been sent.  The agent then sends a notification across the network to the attacker\u2019s system, where another agent immediately initiates another connection to the RDP service.
Since the malicious session begins slightly after the client\u2019s legitimate session (typically less than one second), the victim\u2019s mobile device will display a single \u201cpush\u201d notification representing the malicious session, rather than the legitimate one.  The user will likely authorize (since a mobile authorization is expected).

The attacker\u2019s system gains an authenticated session, while the victim\u2019s session times out.  In practical execution, most users will assume that there was a glitch of some sort, and try again without recognizing the security import of the failed connection.  The timeout provides sufficient opportunity for a prepared attacker to make use of the stolen session (consider also that an attacker may target another RDP server or the RDP console session, and thus produce two simultaneous, valid RDP sessions).

The intruder must possess the following in order to carry out this attack: 
1.    Knowledge of the credentials used by the victim when accessing the resource.
      a.       This can usually be obtained by keylogging, collection of password vaults, file shares, etc.
2.     The ability to execute code on the victim\u2019s system.

Configurations Affected
\u2022   Duo Security Authentication Proxy 2.4.8
\u2022      Duo Win Login 1.1.8

PSC\u2019s current software agent is designed specifically for remote desktop (RDP).  This design can be adapted to target other services, such as web applications, VPNs, etc.  The key observation is that the malicious agent must be able to determine with reasonable precision (within one second) when the \u201cpush\u201d notification has been initiated.  

Also, this attack assumes that \u201cpush\u201d notifications are used for authentications.  If the user prefers the numeric entry method, this type of attack will not work.  That said, there are practical attacks against keyboard entry as well, so this should not be considered a secure workaround or alternative.

Research Credit
Josh Stone, PSC Penetration Tester
Patrick Fussell, PSC Penetration Tester

2015-02-04        Successful proof of concept 
2015-02-13     Disclosure submitted to security@duosecurity.com 
2015-02-25        Vendor Confirmation of Vulnerability
2015-06-08     Vendor Fix Released: https://www.duosecurity.com/blog/raising-the-bar-anomaly-detection

Copyright © 1995-2019 LinuxRocket.net. All rights reserved.