No longer works: Duo internal API changed

[mizlan]

POSTing returns the following error body:

{'code': 40112, 'message': 'Signature type is not supported', 'stat': 'FAIL'}

[avient]

Same. Would be great to get it work

[mattf1n]

Any idea how to reverse engineer it? I'm guessing an (emulated) android device could be used to check what the new signature should be?

[calebmwelsh]

I currently attempting to reverse engineer this repo link However I'm not very familiar with the javascript syntax so it might take a while. If anyone would like to take a crack at it please lmk.

[kop316]

I played around with it somewhat:

I can download the APK here: https://help.duo.com/s/article/2211 (no google play needed)

And disassemble it with: https://github.com/APKLab/APKLab . APKLab has a MITM function, but that doesn't work with DUO. In digging in:

From res/values/Public.xml, you can see:

   <public type="raw" name="duo_cacert_keystore" id="0x7f0f0003" />

DUO Uses its own keystore located in res/raw/duo_cacert_keystore and the Password is PUBLIC_CA_KEYSTORE_PW . Format is BCFKS . APKLab doesn't look to modify this.

0x7f0f0003 is only referenced in smali/g3/a.smali

I was able to put a new HTTPS cert successfully into DUO (I was trying to use https://mitmproxy.org/ to proxy the authenication), but there seemed to be some network authentication it does to inspect the integrity of the APK, so I wasn't successful in proxying the network. They also use OkHTTP: https://github.com/square/okhttp as their http server.

Not really sure where to go at this point, but maybe this helps someone else?

[davidjao]

Workaround for now:

1. Set up ruo to work with the account.
2. ruo will create a response.json file. Inside this file, there is a hotp_secret value. Let's say the secret is aaaabbbbccccddddeeeeffff00001111
3. Using this hotp_secret value, create a duotoken.hotp file in the same directory as this program: (echo -n "aaaabbbbccccddddeeeeffff00001111" | base32 && echo 1) > duotoken.hotp

Once your duotoken.hotp file is set up as above, duo_gen.py will generate the correct one-time codes.

[kop316]

@davidjao thanks for that! Assuming it is working, it shouldn't be too hard to port that to this?

EDIT: it looks like ruo is based off of: https://github.com/FreshSupaSulley/DuOSU Which currently works

[ivanov]

see https://github.com/WillForan/duo-hotp/pull/1 for how you can provide the expected signature to get around

{'code': 40112, 'message': 'Signature type is not supported', 'stat': 'FAIL'}

I was able to use duo-hotp after incorporating the changes from #3 that were made to duo-bypass (see https://github.com/WillForan/duo-hotp/pull/2)

[kop316]

@ivanov thanks for that! I have been maintaining a fork and pushed a commit that fixes it: https://gitlab.com/kop316/duo-cli

I also made an MR to fix it here: https://github.com/revalo/duo-bypass/pull/9

[mizlan]

Could someone explain how the fix works? Is the pubkey field used anywhere at all later? Do we need to store it, etc.? Or is it just there to satisfy the API?

Edit: I see! Thanks!

[ivanov]

Could someone explain how the fix works? Is the pubkey field used anywhere at all later? Do we need to store it, etc.? Or is it just there to satisfy the API?

just for completeness, since mizlan already saw it, the explanation is in https://github.com/WillForan/duo-hotp/pull/1 which is that it's only used once for registering a device (whereas the duo mobile application hangs on to the certificate and uses it to sign future logins), so no need to save it.