WWBN AVideo LoginControl Plugin PGP 2FA Bypass Vulnerability

A vulnerability in the LoginControl plugin of WWBN AVideo versions through 26.0 allows for bypassing PGP two-factor authentication (2FA). The issue arises because the 'createKeys()' function generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who acquires a user's public key can easily factor the RSA modulus, derive the private key, and decrypt any PGP 2FA challenge, effectively nullifying the second authentication factor. Additionally, the 'generateKeys.json.php' and 'encryptMessage.json.php' endpoints lack authentication checks, exposing resource-intensive key generation to anonymous users.

Impact

Exploiting this vulnerability bypasses PGP 2FA, allowing attackers to gain unauthorized access to user accounts that rely on this authentication method. This could lead to full account takeover, especially if combined with compromised credentials. Furthermore, the unauthenticated endpoints can be abused to perform denial-of-service attacks by overwhelming the server with resource-heavy RSA key generation requests.

Reproduction

To reproduce this vulnerability, first enable PGP 2FA in the AVideo application, which will generate a 512-bit RSA keypair and save the public key to the database. Next, access the 'generateKeys.json.php' endpoint without authentication to create a new keypair. Once the public key is obtained, extract the RSA modulus and factor it using available tools. After factoring the modulus, reconstruct the private key and use it to decrypt a PGP-encrypted challenge from the login page. Finally, submit the decrypted challenge to the 'verifyChallenge.json.php' endpoint to complete the 2FA bypass.

Remediation

Users should update to the patched version of the LoginControl plugin, which includes key generation with a minimum of 2048 bits and adds authentication to the previously unauthenticated endpoints. Instructions for updating the plugin can be found in the AVideo documentation.