Associated Vulnerability
Title:VeryFitPro 授权问题漏洞 (CVE-2021-36460)Description:VeryFitPro是中国深圳市爱都科技有限公司的一款功能强大的健康管理软件,需要搭配同品牌智能手环使用,使用app用户可以实时查看行走步数、消耗卡里路、睡眠质量等信息。 VeryFitPro 3.2.8 存在安全漏洞,该漏洞源于应用在设备本地对帐户密码进行哈希处理,并在与后端 API 的所有通信中使用哈希进行身份验证,包括登录、注册和更改密码。拥有散列的攻击者利用该漏洞可以接管用户的账户。
Readme
# CVE-2021-36460
NVD CVE-2021-36460:
https://nvd.nist.gov/vuln/detail/CVE-2021-36460
MITRE CVE-2021-36460:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-36460
## [CWE-836: Use of Password Hash Instead of Password for Authentication](https://cwe.mitre.org/data/definitions/836.html)
The VeryFitPro app (Android: [com.veryfit2hr.second](https://play.google.com/store/apps/details?id=com.veryfit2hr.second), [iOS](https://apps.apple.com/us/app/veryfitpro/id1176428281)) <=3.3.7 hashes the account's password locally on the device using SHA-1 and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords.
This allows an attacker in possession of a hash to takeover a user's account without knowing the original password, rendering the security benefits of storing hashed passwords in the database useless.
This is also known as a [Pass the Hash attack](https://attack.mitre.org/techniques/T1550/002/).
As of the 22nd of April 2022, both Android and iOS apps **are affected in their most recent versions** (3.3.7).
The Android app has **over 10,000,000 installs**, the iOS app has 3.4K ratings and is the #198 app in the "Health & Fitness" category.
## Proof of concept
For example, during login, the app hashes the password entered by the user using SHA-1 locally on the device and then makes a `POST` request to the URL `http://veryfitproapi.veryfitplus.com/user/login` with a request body like this:
```
area=Europe&password=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&account=foo%40bar.com
```
The backend then parses the request body, comparing the hash value defined by the `password` key with the hash stored in the database in order to verify authentication of the user.
### Attack scenario
1. Attacker obtains the password hash of a user, for example through SQL injection, information exposure or sniffing
2. Attacker performs login on any Android device / emulator or iOS device using the VeryFitPro app
3. Attacker intercepts the `POST` login request and replaces in the request body the hash value of `password` and the email address of `account` with the user's
4. Attacker is now logged in as the user
5. Attacker can now impersonate the user and perform actions like changing the password by using the app
## Mitigation
- In the apps, transmit the original password (unhashed) in the request body via HTTPS to the backend API.
- In the backend, hash the password parsed from the request body before comparing it to the hash in the database.
- In order to mitigate [CWE-327](https://cwe.mitre.org/data/definitions/327.html), the passwords must be hashed using a strong algorithm like [Argon2](https://github.com/P-H-C/phc-winner-argon2)
## Timeline
- **25th of June 2021**: Vulnerability found by [@martinfrancois](https://github.com/martinfrancois), CVE ID requested and vendor contacted
- **28th of June 2021**: No reply from vendor, contacted vendor again
- **6th of April 2022**: [CVE-2021-36460](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36460) received
- **15th of April 2022**: No reply from vendor, contacted vendor again
- **22nd of April 2022**: No reply from vendor, [advisory](https://github.com/martinfrancois/CVE-2021-36460) published
File Snapshot
[4.0K] /data/pocs/c56320cf5321c89bfb850d94b6bb78a389f5fc03
└── [3.2K] README.md
0 directories, 1 file
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.