ID PACKETSTORM:146689 Type packetstorm Reporter Joshua Bowser Modified 2018-03-07T00:00:00
Description
`# Exploit Title: antMan <= 0.9.0c Authentication Bypass
# Date: 02-27-2018
# Software Link: https://www.antsle.com
# Version: <= 0.9.0c
# Tested on: 0.9.0c
# Exploit Author: Joshua Bowser
# Contact: joshua.bowser@codecatoctin.com
# Website: http://www.codecatoctin.com
# Category: web apps
1. Description
antMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.
http://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html
2. Proof of Concept
The antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes JavaAC/a!aC/s ProcessBuilder class to invoke, as root, a bash script called antsle-auth.
This script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.
To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:
#-------------------------
POST /login HTTP/1.1
Host: 10.1.1.7:3000
[snip]
username= > &password=%0a
#-------------------------
You will now be successfully authenticated to antMan as the administrative root user.
3. Solution:
Update to version 0.9.1a
`
{"id": "PACKETSTORM:146689", "type": "packetstorm", "bulletinFamily": "exploit", "title": "antMan 0.9.0c Authentication Bypass", "description": "", "published": "2018-03-07T00:00:00", "modified": "2018-03-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/146689/antMan-0.9.0c-Authentication-Bypass.html", "reporter": "Joshua Bowser", "references": [], "cvelist": ["CVE-2018-7739"], "lastseen": "2018-03-08T01:03:21", "viewCount": 3, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2018-03-08T01:03:21", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-7739"]}, {"type": "exploitdb", "idList": ["EDB-ID:44262", "EDB-ID:44220"]}, {"type": "zdt", "idList": ["1337DAY-ID-29966"]}], "modified": "2018-03-08T01:03:21", "rev": 2}, "vulnersScore": 5.4}, "sourceHref": "https://packetstormsecurity.com/files/download/146689/antman090c-bypass.txt", "sourceData": "`# Exploit Title: antMan <= 0.9.0c Authentication Bypass \n# Date: 02-27-2018 \n# Software Link: https://www.antsle.com \n# Version: <= 0.9.0c \n# Tested on: 0.9.0c \n# Exploit Author: Joshua Bowser \n# Contact: joshua.bowser@codecatoctin.com \n# Website: http://www.codecatoctin.com \n# Category: web apps \n \n1. Description \n \nantMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console. \n \nhttp://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html \n \n \n2. Proof of Concept \n \nThe antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes JavaAC/a!aC/s ProcessBuilder class to invoke, as root, a bash script called antsle-auth. \n \nThis script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer. \n \nTo exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows: \n \n#------------------------- \nPOST /login HTTP/1.1 \nHost: 10.1.1.7:3000 \n[snip] \n \nusername= > &password=%0a \n#------------------------- \n \nYou will now be successfully authenticated to antMan as the administrative root user. \n \n \n3. Solution: \n \nUpdate to version 0.9.1a \n \n`\n", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:52:42", "description": "antsle antman before 0.9.1a allows remote attackers to bypass authentication via invalid characters in the username and password parameters, as demonstrated by a username=>&password=%0a string to the /login URI. This allows obtaining root permissions within the web management console, because the login process uses Java's ProcessBuilder class and a bash script called antsle-auth with insufficient input validation.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-07T02:29:00", "title": "CVE-2018-7739", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7739"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:antsle:antman:0.9.0c"], "id": "CVE-2018-7739", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7739", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:antsle:antman:0.9.0c:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-03-14T19:31:28", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2018-03-07T00:00:00", "type": "zdt", "title": "antMan 0.9.0c - Authentication Bypass Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7739"], "modified": "2018-03-07T00:00:00", "href": "https://0day.today/exploit/description/29966", "id": "1337DAY-ID-29966", "sourceData": "# Exploit Title: antMan <= 0.9.0c Authentication Bypass\r\n# Software Link: https://www.antsle.com\r\n# Version: <= 0.9.0c\r\n# Tested on: 0.9.0c\r\n# Exploit Author: Joshua Bowser\r\n# Contact: [email\u00a0protected]\r\n# Website: http://www.codecatoctin.com\r\n# Category: web apps\r\n \r\n1. Description\r\n \r\nantMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.\r\n \r\nhttp://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html\r\n \r\n \r\n2. Proof of Concept\r\n \r\nThe antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Java\u00e2\u20ac\u2122s ProcessBuilder class to invoke, as root, a bash script called antsle-auth.\r\n \r\nThis script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.\r\n \r\nTo exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:\r\n \r\n#-------------------------\r\nPOST /login HTTP/1.1\r\nHost: 10.1.1.7:3000\r\n[snip]\r\n \r\nusername= > &password=%0a\r\n#-------------------------\r\n \r\nYou will now be successfully authenticated to antMan as the administrative root user.\r\n \r\n \r\n3. Solution:\r\n \r\nUpdate to version 0.9.1a\n\n# 0day.today [2018-03-14] #", "sourceHref": "https://0day.today/exploit/29966", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2018-05-24T14:05:20", "description": "antMan < 0.9.1a - Authentication Bypass. CVE-2018-7739. Webapps exploit for Multiple platform", "published": "2018-03-02T00:00:00", "type": "exploitdb", "title": "antMan < 0.9.1a - Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7739"], "modified": "2018-03-02T00:00:00", "id": "EDB-ID:44220", "href": "https://www.exploit-db.com/exploits/44220/", "sourceData": "# Exploit Title: antMan <= 0.9.0c Authentication Bypass\r\n# Date: 02-27-2018\r\n# Software Link: https://www.antsle.com\r\n# Version: <= 0.9.0c\r\n# Tested on: 0.9.0c\r\n# Exploit Author: Joshua Bowser\r\n# Contact: joshua.bowser@codecatoctin.com\r\n# Website: http://www.codecatoctin.com\r\n# Category: web apps\r\n \r\n1. Description\r\n \r\nantMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.\r\n \r\nhttp://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html\r\n \r\n \r\n2. Proof of Concept\r\n \r\nThe antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Java\u00e2\u20ac\u2122s ProcessBuilder class to invoke, as root, a bash script called antsle-auth.\r\n\r\nThis script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.\r\n\r\nTo exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:\r\n\r\n#-------------------------\r\nPOST /login HTTP/1.1\r\nHost: 10.1.1.7:3000\r\n[snip]\r\n\r\nusername= > &password=%0a\r\n#-------------------------\r\n\r\nYou will now be successfully authenticated to antMan as the administrative root user.\r\n \r\n \r\n3. Solution:\r\n \r\nUpdate to version 0.9.1a", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44220/"}, {"lastseen": "2018-05-24T14:06:43", "description": "antMan 0.9.0c - Authentication Bypass. CVE-2018-7739. Webapps exploit for Java platform", "published": "2018-03-07T00:00:00", "type": "exploitdb", "title": "antMan 0.9.0c - Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7739"], "modified": "2018-03-07T00:00:00", "id": "EDB-ID:44262", "href": "https://www.exploit-db.com/exploits/44262/", "sourceData": "# Exploit Title: antMan <= 0.9.0c Authentication Bypass\r\n# Date: 02-27-2018\r\n# Software Link: https://www.antsle.com\r\n# Version: <= 0.9.0c\r\n# Tested on: 0.9.0c\r\n# Exploit Author: Joshua Bowser\r\n# Contact: joshua.bowser@codecatoctin.com\r\n# Website: http://www.codecatoctin.com\r\n# Category: web apps\r\n \r\n1. Description\r\n \r\nantMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.\r\n \r\nhttp://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html\r\n \r\n \r\n2. Proof of Concept\r\n \r\nThe antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Java\u00e2\u20ac\u2122s ProcessBuilder class to invoke, as root, a bash script called antsle-auth.\r\n\r\nThis script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.\r\n\r\nTo exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:\r\n\r\n#-------------------------\r\nPOST /login HTTP/1.1\r\nHost: 10.1.1.7:3000\r\n[snip]\r\n\r\nusername= > &password=%0a\r\n#-------------------------\r\n\r\nYou will now be successfully authenticated to antMan as the administrative root user.\r\n \r\n \r\n3. Solution:\r\n \r\nUpdate to version 0.9.1a", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44262/"}]}
