# Exploit Title: Duo 2FA bypass via Device Management Portal
# Date: 03-14-2017
# Exploit Author: BrianWGray
# WebPage: https://CTRLu.net/
# Vendor Homepage: https://duo.com/
# Vendor Advisory: https://duo.com/labs/psa/duo-psa-2017-001
# Signed Vendor Advisory: 0005_DUO-PSA-2017-001-v1-signed.txt
# Software Link: https://duo.com/docs/device-management
# Version: Dates ~2014 < 03-06-2017
# Recommended to update to Version 220.127.116.11 or above
# Tested on: Date 02-09-2017
# DUO : DUO-PSA-2017-001
Duo 2FA bypass via Device Management Portal
Duo's cloud service contains two optional features called the Self-Service Portal and the Device Management Portal which allow users to manage their own Duo accounts and enrolled authentication devices. On applications where either feature is enabled, an attacker who also had access to a user's primary credentials could have gained access to the portion of the portal where users can manage (add/change/remove) authentication devices by initiating - but not successfully completing - a second factor authentication, then crafting and loading a special URL.
The second factor component of the service was not properly validating authorization statements made between the client and server allowing communications to be modified and an invalid assertion of success to be made by the client.
2. Proof of Concept
In a successful attack, an adversary who had previously compromised a user's primary credentials may have been able to add authentication devices or modify previously-registered authentication devices for that user, ultimately leading to bypass of second-factor authentication.
A fix that correctly enforces authentication in the Self-Service Portal and Device Management Portal has been deployed to Duo's cloud service. No action is necessary for customers to resolve the issue.
Duo privately receives report of a security vulnerability in the Self-Service Portal and Device Management Portal
Duo acknowledges receipt of report and begins investigation
Duo confirms vulnerability exists
Duo begins development of a patch
Duo confirms the vulnerability with the reporting party
Duo commits and tests a fix
Fix is deployed to all Duo cloud deployments, closing off the vulnerability for all customers
Duo begins retrospective evaluation for all possible indicators that the vulnerability might have been exploited
Duo confirms via retrospective analysis that no attacks have occurred in previous 90 days, begins search back toward origin of vulnerability in March 2014
Duo concludes retrospective evaluation for all possible indicators that the vulnerability might have been exploited
Duo begins developing functionality to allow customers to access information about flagged user activities and, if desired, disable logins and require re-enrollment for these users
Duo completes development of remediation functionality, and begins testing/deployment
Deployment of remediation functionality completed
PSA distributed to potentially impacted customers