Vulnerable Software: Maharashtra State Electricity Board Android Application
Vulnerability: Account takeover via OTP Fixation
Affected Version: 7.50 and prior
Patched: Yes
Vendor Homepage: https://www.mahadiscom.in/en/home/
App store link: https://play.google.com/store/apps/details?id=com.msedcl.app&hl=en_IN&gl=US
CVE: CVE-2021-41716
CVE Author: Tejas Nitin Pingulkar
Exploit Available: POC Available
About Affected Software
The Official App for Consumer by Mahavitaran (MSEDCL). Mahavitaran Consumer App enables consumers to avail Mahavitaran services at his/her fingertips. The app is simple and easy to use. It provides transparency in delivering services to consumers.
►Features :
*View and Pay bill
*Register and Track complaints
*View Bill and Payment history
*Manage Multiple Electricity Connections
*Contact 24 x7 MSEDCL Call Center
*Apply for New Connection
* Know the status of New Connection Application and Pay Estimate Charges
*Submit Meter Reading to avoid average billing
*Provide Feedback about Mahavitaran Services
*Update Contact Details ( Mobile Number & E-mail ID ) of consumer
*Find MSEDCL offices and collection centers near you
*Estimate your monthly electricity consumption and bill amount
*Get Information about the Feeder from where the power supply is provided to your connection
*Apply for the change of name
*Submit an application for addition/reduction in load
Exploit
Authentication bypass using OTP Fixation
OTP reset functions use the id field
An attacker can manipulate the OTP ID field as each OTP id has a fixed OTP code.
Let’s generate OTP for a password reset.
Now as demonstrated in Video POC below OTP ID is 7310828, and Correct OTP for this id is 565449
Now we know that for OTP ID 7310828 Correct OTP is 565449; hence we can use the same OTP ID and OTP pair to reset any user account and take full control.
Proof Of Concept
Thanks!