antMan 0.9.0c Authentication Bypass

2018-03-07T00:00:00
ID PACKETSTORM:146689
Type packetstorm
Reporter Joshua Bowser
Modified 2018-03-07T00:00:00

Description

                                        
                                            `# Exploit Title: antMan <= 0.9.0c Authentication Bypass  
# Date: 02-27-2018  
# Software Link: https://www.antsle.com  
# Version: <= 0.9.0c  
# Tested on: 0.9.0c  
# Exploit Author: Joshua Bowser  
# Contact: joshua.bowser@codecatoctin.com  
# Website: http://www.codecatoctin.com  
# Category: web apps  
  
1. Description  
  
antMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.  
  
http://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html  
  
  
2. Proof of Concept  
  
The antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes JavaAC/a!aC/s ProcessBuilder class to invoke, as root, a bash script called antsle-auth.  
  
This script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.  
  
To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:  
  
#-------------------------  
POST /login HTTP/1.1  
Host: 10.1.1.7:3000  
[snip]  
  
username= > &password=%0a  
#-------------------------  
  
You will now be successfully authenticated to antMan as the administrative root user.  
  
  
3. Solution:  
  
Update to version 0.9.1a  
  
`