39 lines
No EOL
1.4 KiB
Text
39 lines
No EOL
1.4 KiB
Text
# Exploit Title: antMan <= 0.9.0c Authentication Bypass
|
||
# Date: 02-27-2018
|
||
# Software Link: https://www.antsle.com
|
||
# Version: <= 0.9.0c
|
||
# Tested on: 0.9.0c
|
||
# Exploit Author: Joshua Bowser
|
||
# Contact: joshua.bowser@codecatoctin.com
|
||
# Website: http://www.codecatoctin.com
|
||
# Category: web apps
|
||
|
||
1. Description
|
||
|
||
antMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.
|
||
|
||
http://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html
|
||
|
||
|
||
2. Proof of Concept
|
||
|
||
The antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Java’s ProcessBuilder class to invoke, as root, a bash script called antsle-auth.
|
||
|
||
This script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.
|
||
|
||
To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:
|
||
|
||
#-------------------------
|
||
POST /login HTTP/1.1
|
||
Host: 10.1.1.7:3000
|
||
[snip]
|
||
|
||
username= > &password=%0a
|
||
#-------------------------
|
||
|
||
You will now be successfully authenticated to antMan as the administrative root user.
|
||
|
||
|
||
3. Solution:
|
||
|
||
Update to version 0.9.1a |