Do I need to fix that stupid vulnerabilities

1. Do I need…to fix that stupid
vulnerabilities?
By i3umi3iei3ii

2. " This slide is purely intended for educational and research purposes only. We do NOT want anyone to use
any information from this slide to attack or do illegal thing (refer to the laws in your country). So that, any
actions and or activities related to the materials from this repository is solely your responsibility. If you
don’t agree, you are not allowed to access this slide, close this immediately “
2
Disclaimer
Disclaimer

3. Things I would like to share with you today
3
overview
o Server version disclosure
o Bypass Authentication
o Session in /tmp/sess_xxx
o User Enumeration

4. The software we are going to deal with
4
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE
overview

5. Burp Suite
5
overview
Client Server
HTTP Request
HTTP Response

6. Server Version
Disclosure

7. Server Version Disclosure
7
ServerVersionDisclosure

8. 8
ServerVersionDisclosure

9. 9
ServerVersionDisclosure

10. User Enumeration

11. User Enumeration
11
UserEnumeration
Valid Username
Invalid Username

12. Login with an invalid username and invalid password
12
UserEnumeration

13. Login with a valid username and invalid password
13
UserEnumeration

14. Brute-Forcing
14
UserEnumeration

15. 15
UserEnumeration
Non-existing User
Existing User

16. User Enumeration
16
UserEnumeration
// Log in with an invalid password
If( res.msg == “Wrong password” ){
console.log(“User dose exist”);
} else {
console.log(“User dose not exist”);
}

17. Login with a valid username and invalid password
17
UserEnumeration

18. Login with an invalid username and invalid password
18
UserEnumeration

19. 19
UserEnumeration
Non-existing User
Existing User

20. User Enumeration
20
UserEnumeration
// Log in with an invalid password
If( res.time > 80ms ){
console.log(“User dose exist”);
} else {
console.log(“User dose not exist”);
}

21. Authentication
Bypass

22. Authentication Bypass
22
AuthenticationBypass

23. Authentication Bypass
23
AuthenticationBypass

24. Authentication Bypass
24
user1||/user1/theme/original
user2||/user2/theme/original
(Base64)
dXNlcjJ8fC91c2VyMi90aGVtZS9vcmlnaW5hbA==
AuthenticationBypass

26. Authentication Bypass
26
If( res. result == 1 ){
console.log(“login”);
redirect([‘Profile’]);
} else {
console.log(“User dose not exist”);
redirect([‘login’]);
}
AuthenticationBypass
If( valid(username) && valid(pass)){
res.send({ result: 1 });
} else {
res.send({ result: 0 });
}
Back-end Front-end

27. Authentication Bypass
27
If we know that the user dose exist,
We can gain access to the account by
“Modify response”
AuthenticationBypass

28. Authentication Bypass
28
AuthenticationBypass

29. 29
Hash vs Encode vs Encrypt
AuthenticationBypass

30. Hashing
30
AuthenticationBypass
Input Data
Hashing
Algorithm
Output Data
(Fixed Length)
BKK.JS MD5
2f342e019e40c69734f0e
80b45ef026c
BKK.JS SHA1
c2f45b82a11359de5861
a47dbda32ccb343d656c

31. Encoding (Encode/Decode)
31
AuthenticationBypass

32. Encryption (Encrypt/Decrypt)
32
AuthenticationBypass
o Symmetric Key
o Asymmetric Key
Shared Key Shared Key
Public Key Private KeyCipher TextMessage Message
Encrypt
Cipher TextMessage Message
Decrypt

33. Session files are stored in
insecure directory

34. Session in “/tmp” directory
34
Sessionfile/tmo/sess_xxx

35. Token in URL
35
Sessionfile/tmo/sess_xxx
Any Problem?!?!?!?

36. It is not a random value
36
Since the ‘rkey’ value is not random, there might be some factor that use to
generate the value, what is it?
o IP Address?
o MAC Address?
Sessionfile/tmo/sess_xxx

37. Set client ip address
37
Sessionfile/tmo/sess_xxx

38. Login as root on a testing server
38
Sessionfile/tmo/sess_xxx

39. Extract session value
39
Sessionfile/tmo/sess_xxx

40. Information we generate from testing server
40
cwpsrv-bad194011f5ad0cf609c77ad222e50d6 = 3hkhskb2coovn9bpkpuqivst42
/tmp/sess_3hkhskb2coovn9bpkpuqivst42
username|s:4:"root";logged|b:1;rkey|s:16:"w4wlTtbmZvQY8UA8";token|s:36:"cwp_
a5711eb95256129d3304915661c6452e";
Sessionfile/tmo/sess_xxx

41. Login and upload session file to /tmp
41
Sessionfile/tmo/sess_xxx

42. Set up attacker’s browser
42
Sessionfile/tmo/sess_xxx

43. Become root user
43
Sessionfile/tmo/sess_xxx

44. Vulnerabilities Chaining
44
o Server version disclosure o User Enumeration
o Bypass Authentication o Session in /tmp/sess_xxx
Require: Server signature Require: Target URL
Result: Target URL Result: Target Username
Require: Target Username
Result: Authenticated User
Require: Authenticates User
Result: High Privilege User (root)
VulnerabilitiesChaining

45. Conclusion
45
Conclusion
o Server version disclosure : least server information disclose
o Bypass Authentication : Do not trust your client
o Session in /tmp/sess_xxx : Directory and File permission
o User Enumeration : Keep the response message the same
o Hash != Encode != Encrypt
o Do not send sensitive data through the URL

46. THANK YOU
Photo by Unsplash