# 2FA credential leakage in SOGo 5.2.0

Reported 2021-10-05, patched 2021-10-15, published 2022-04-02.

SOGo groupware can leak TOTP credential in calendar events under certain conditions:

  1. There are 2 accounts attacker@ & victim@ on the same SOGo system.
  2. 2FA is enabled for victim@.
  3. victim@’s calendar must be either:
    1. Shared with attacker@
    2. Or with ‘all authenticated users’.
  4. victim@’s calendar sharing settings must have at least one of Public/Confidential/Private configured to View the Date & Time for attacker@ or all authenticated users.
  5. victim@ must have at least one event in their calendar with a visibility that’s configured to View the Date & Time.
attacker@ can then access victim@’s WebDAV XML feed. Any events with View the Date & Time visibility will have a long hex UID. The attacker can then hex decode the UID & use bytes [32;44) as victim@’s TOTP secret.

## Details

SOGo uses the first 12 bytes of UserSettings’ userSalt as TOTP secret:
SoObjects/SOGo/SOGoUser.m 
- (NSString *) totpKey
{
#if defined(MFA_CONFIG)
  NSString *key, *result;
  const char *s;
  char *secret;

  size_t s_len, secret_len;

  key = [[[self userSettings] userSalt] substringToIndex: 12];
The same userSalt is used by calendar when obfuscating UIDs for events that have View date & time visibility (introduced in 875a4aca3218340fd4d3141950c82c2ff45b343d):
SoObjects/Appointments/SOGoCalendarComponent.m 
  uid = [[component uid] asCryptedPassUsingScheme: @"ssha256"
                                         withSalt: [[settings userSalt] dataUsingEncoding: NSASCIIStringEncoding]
                                      andEncoding: encHex
                                          keyPath: nil];
And the ssha256 scheme appends the salt to the hash:
SoObjects/SOGo/NSData+Crypto.m 
- (NSData *) asSSHA256UsingSalt: (NSData *) theSalt
{
  NSMutableData *sshaData;

  // generate salt, if not available
  if ([theSalt length] == 0)
    theSalt = [NSData generateSaltForLength: 8];

  // put the pass and salt together as one data array
  sshaData = [NSMutableData dataWithData: self];
  [sshaData appendData: theSalt];
  // generate SHA1 from pass + salt
  sshaData = [NSMutableData dataWithData: [sshaData asSHA256]];
  // append salt again
  [sshaData appendData: theSalt];

  return sshaData;
}
Finally, calendar UIDs are visible in WebDAV feeds, e.g.: 
<vevent>[...]
<summary><text>(Confidential event)</text></summary>
<uid><text>fe5af31ed1a48c59194ac04a9d1a855fd50816a5be4b8ed3[...]</text></uid>
contact /at/ haiiro.dev