... Loading ...

SSD Secure Disclosure

Disclosing vulnerabilities responsibly since 2007

SSD Advisory – AppWeb Authentication Bypass (Digest, and Basic)

Vulnerability Summary
A critical vulnerability in the EmbedThis HTTP library, and Appweb versions 5.5.x, 6.x, and 7.x including the latest version present in the git repository.
In detail, due to a logic flaw, with a forged HTTP request it is possible to bypass the authentication for HTTP basic and HTTP digest login types.
Confirmed Vulnerable
Appweb version 7.0.2 and prior
An independent security researcher, Davide Quarta (@_ocean) and Truel IT, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor Response
Vendor response was exceptionally quick, within 2 days from reporting the vulnerability to them they had a patch available and new version Appweb version 7.0.3 and information available to the public: https://github.com/embedthis/appweb/issues/610

Vulnerability Details
Due to a logical flaw in the authentication procedure, knowing the target username, it is possible to completely bypass authentication of both form and digest type authentications, by means of a crafted HTTP POST request.
File http/httpLib.c – function authCondition()
This function is responsible for calling the two functions that are responsible of authentication: getCredentials, and httpLogin. Notice the lack of checks around httpGetCredentials, it will be useful later.

File http/httpLib.c – function httpGetCredentials()
This function receives two pointers to char arrays that will contain the username and password parsed from the request. Since there are no checks in authCondition, it doesn’t matter if the “parseAuth” function fail, this means we can insert in the WWW-Authenticate header or in the post data for authentication any field we want:

File http/httpLib.c – function httpLogin()
This function will check for the username to be not null, when there is already a session associated, the password pointer can instead be null.

To be able to bypass the authentication we need to be able to pass a null password pointer, fortunately, both for form and digest authentication, the functions used to parse authentication details (line 1666) will allow us to set a null password pointer, and even with an error returned, in the end, it won’t be checked by authCondition, allowing us to completely bypass authentication, the only condition to exploit this is to know a username in the hashmap.
To overcome this limitation, it must be considered that the size of the hashmap is usually small, and the hash algorithm (FNV) used in the hashmap is weak: with a limited number of tries it could be possible to find a collision, and login without knowing a valid username (untested).

Print Friendly, PDF & Email

2 thoughts on “SSD Advisory – AppWeb Authentication Bypass (Digest, and Basic)

Leave a Reply