How I Hacked into Pune University’s Exam/Teachers Portal

4 months ago 15

Shreyas Gurjar

Bypassing the Authentication mechanism results in an amazing Account takeover.

Introduction :

Good day, guys! I’m Shreyas Gurjar, and I’m a student at Fergusson College in Pune studying for an MSC in Computer Science and I'm a Certified Ethical Hacker. I’m also a Bug Bounty hunter. Today, I’d like to reveal one of my findings, which I discovered at one of India’s elite universities, where I was able to gain access to any Teacher account on the web application.

Ethical Hacking Content Disclaimer:

Shreyas Gurjar’s articles on Ethical Hacking are strictly for educational and informational purposes. This blog’s tutorial and demo are just for those who are willing and curious to learn about Ethical Hacking, Security, and Penetration Testing. Any use of the term “Hacking” on this blog shall be considered Ethical Hacking. Shreyas Gurjar will not be found responsible for any actions taken by any reader. Please leave this blog immediately if you plan to exploit the content for illegal purposes.

Coming to the point on how I discovered a critical bug on a Pune University BCUD teachers login portal.

What is Account Takeover?

An unauthorized third party successfully gains access to a user’s account credentials, which is a type of fraud and identity theft. Malicious hackers can change account details, send malicious emails, steal financial information or sensitive data, and use any stolen information to access many accounts within the organization by impersonating the real user.

In short, “An attacker can exploit an authentication vulnerability in the application to take full control of the victim’s account and use it without the victim’s knowledge or consent.”

What is the best way to go about it?

Account takeover bugs can be discovered in a variety of ways, including brute-forcing the OTP, account takeover via IDOR, and so on. I’ve discovered plenty of account takeover vulnerabilities so far, and there are more on the way. In this blog article, I’ll show you how I got account takeover via OTP Leakage in Request and account takeover via inappropriate server-side mobile number and Email validation.

To reproduce the problem, some information is required :

To reset the teacher’s password, you’ll need the username or pan card number of a registered teacher.Finding teachers’ usernames is not difficult; I obtained one of the teachers’ legitimate ids from the BCUD login users manual, and after cracking that account username, I obtained all teachers’ usernames under Pune University.

Scenario 1: Account takeover via improper mobile number and Email validation on the server.

Description of the issue:

So, the BCUD teacher's login portal had a forget password feature. So, anytime a teacher wants to change his password using his teacher id or Pan card number, we are given two password reset options:

Forgot Password Send through EmailForgot Password Send through SMS

I experimented with both options. Forgot Password Send through Email and Forgot Password Send via SMS, I opened up my burp suite and captured the request, where I saw the data being provided to the server in URL-encoded format with two vulnerable parameters, MobileNo and EmailId.

Then I replaced the mobile number and email address from the Teacher with the attacker’s mobile number and email address. To my surprise, the attacker’s mobile number and email address got the OTP and password reset link, and the Teachers password was successfully changed, leading to an account takeover.

Following are the step to reproduce this vulnerability:

On the genuine Teachers id, the attacker sends a forgot password request, and he is given the option of resetting his password through email or mobile number.Both options are vulnerable in this case, thus the attacker can select both reset through mobile or reset via email and capture the request.The attacker forwards the request by changing the teachers’ mobile number or email id to his own mobile number or email id.The attacker will obtain the OTP and password reset link and use them to reset the teacher's password, allowing them to take over the account.The attacker’s email and mobile number will receive a message with a “your password changed successfully” like this.Without being aware of them We’ve successfully updated the password for the teachers’ accounts.

Scenario 2: Account takeover via OTP Leakage in Request.

Description of the issue:

A forgot password feature was implemented, which sent an OTP to the specified mobile number. The first thing I did was capture the request, which was a URL-encoded data transfer with two parameters, txtOTP, and OTP when the lost password through SMS option was hit.

Parameter looks like this: txtOTP: XYZ&OTP: XYZ

This is what the reset request with an invalid OTP looks like when I capture it:

txtOTP:Invalid..OTP..123456..&OTP:Valid..OTP..555305

A vulnerable parameter &OTP is leaking a valid OTP in this case. When I entered correct OTPs and clicked the confirm button, I was redirected to a password reset page, which resulted in an account takeover.

Following are the step to reproduce this vulnerability:

The attacker can send a forgotten password request to the victim’s account through SMS. Then, in the field, enter the invalid OTP and capture the request.An attacker can observe one Invalid OTP that was entered by an attacker and one Valid OTP in the request. Then copy and paste the valid OTP from the request into the OTP field and BOOM we have successfully changed the teacher's password.In this scenario, The teacher’s mobile number will receive a message with a “your password changed successfully “ like this.

For demonstration purposes, please see the attached video.

vulnerability Impact:

Because of this vulnerability, an attacker or hacker can simply access a teacher’s account without knowing their password and perform illegal actions such as

Direct access to the Internal marks portalChanging or viewing Internal marksAssign Internal and External for ExaminationViewing teachers’ personal informationFinancial information like FORM 16Chairman contribution details [Paper setting]Examination CAP appointment,Science coordinator claimExam work payment details[CAP paper setting ]Final and pre-final Question Bank submission detailsOnline Exam contribution, etc.

It has an impact on the overall security of 900+ colleges in India [ Under SPPU only ], with over 100,000+ teachers registered with SPPU [Pune University].

Reporting Timeline:

> The problem has been reported to the head of the SPPU Edutech Foundation: 28th December 2021

>The Development team has resolved the problem: 29th December 2021

I hope you enjoyed it!
If you have any questions, please contact me on Twitter and Instagram @shreyasrx

Until the next time Greetings!! :)

Thanks and Regards

https://twitter.com/shreyasrx

https://twitter.com/india_shield?t=kR0Z0PaMeCR9G_2nm7dIYw&s=09

How to get started in Application Security?

Here’s a small collection of resources on Application Security by Ninad Mathpati and the team.

Read Entire Article