Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Veeam published a CVSS 9.8 score for a complete authentication bypass vulnerability on their product. The author decided to take the time to understand the issue and write it up. Since they only have information from the CVE, they'll have to do some reverse engineering for this.

The author goes down the authentication flow to find some weirdness with SSO. In particular, when using VMWare SSO, a SAML XML document is provided. One of the controlled values is the URL to check against.

Since an attacker can provide their own SAML server to check again, it's trivial to bypass the authentication! If you can validate yourself, then you can easily exploit this.

The core vulnerability is simple - bad input validation on sensitive values. However, this would have required a fairly deep understanding of SAML and the authentication flow to exploit.

The author of this post ended up looking for issues in Veeam themselves after this. When doing JWT authentication on the Recovery Orchestrator, it had a hardcoded JWT. Since this is hardcoded, we can sign our own JWTs.