antMan 0.9.0c - Authentication Bypass

EDB-ID: 44262
Author: Joshua Bowser
Published: 2018-03-07
CVE: CVE-2018-7739
Type: Webapps
Platform: Java
Vulnerable App: N/A

 # Date: 02-27-2018 
# Software Link: https://www.antsle.com
# Version: <= 0.9.0c
# Tested on: 0.9.0c
# Exploit Author: Joshua Bowser
# Contact: [email protected]
# Website: http://www.codecatoctin.com
# Category: web apps

1. Description

antMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.

http://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html


2. Proof of Concept

The antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Java’s ProcessBuilder class to invoke, as root, a bash script called antsle-auth.

This script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.

To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:

#-------------------------
POST /login HTTP/1.1
Host: 10.1.1.7:3000
[snip]

username= > &password=%0a
#-------------------------

You will now be successfully authenticated to antMan as the administrative root user.


3. Solution:

Update to version 0.9.1a

Related Posts