Vesta Vigilantism

Back to our attack. So, we can perform a time attack against this ‘reset code’. What’s the reset code? Reading through the source, we can see that password reset codes are generated when a user account is created using the following function:

This shows us that default reset codes are ten characters long and mixed-case alphanumeric.

Another problem to note with the reset function is that it’s possible to brute-force this code, as there are no CAPCHAs, rate-limits or timeouts used. That said, brute-forcing every possible combination would result in a lot of requests. How many? Well, for 62 possible characters in a ten-character long password, that’s 62^10.

Not that bad, right? Wrong.

That little ^ is the power symbol. That means that 62^10 gives just about 839 quadrillion combinations. Even if you guessed a beefy 1000 combinations a second (we’re talking over the internet, here) you’d be waiting a solid 26 and a half million years. Yeah. Sod that for a laugh.

Instead, how about I show you a method where we only have to perform about 50,000 guesses for each character – 50000*62*10 — for a total of 31 million requests? If you were able to guess at a similar rate of 1000/second, it would take you about eight and a half hours. I’m liking these numbers a lot more already.

“So how would I only have to guess 50,000 for each character?”, I hear you wail. “Are you insane? Do you require assistance?”

Yes. I don’t talk about it. Not since last time. But I digress.

In our method, we will make 50,000 requests for each potential character of the password. Then we will take the most likely candidate (the character whose average request time took the longest) and repeat that process for all characters in the sequence. 50,000 is a random guess of how many requests we will need to make to be confident of the character in a given position.

To further explain the theory, you’d make 50,000 requests with the code 0000000000. Then 1000000000, 2000000000 and so on until you reach Z000000000. Assuming the reset code is ‘AB12345678‘, you’d realise that A000000000 took ever so slightly longer than the rest to complete, so you assume A is the first character. You then take a crack at guessing the second character by moving on to guessing the second position, sending A000000000, A100000000 and so on.

Wonderful. So how about doing it in practice?

Well to save you time and effort (I know, I’m so kind) here’s[2] a link to a proof of concept that does exactly that. It took me a long time to achieve this on a VM, running locally, so YMMV getting this to run over the internet. It’s definitely possible, however. In Theory™. (Probably with a better thought out codebase, see ‘future ideas’ section in README.md)

If you happen to be running Vesta CP, they’ve now patched the issue in the source tree. Please update your installation to at least version 0.9.8-23.

For further details and advice for users, please see the Vesta CP website.

This vulnerability has been assigned CVE-2018-1000884 – additional details can be found on the CVE and NIST National Vulnerability Databases.