Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The authentication flow is convoluted but works. The flow is examples below:

1. Obfuscated password is sent to the CGI API.
2. The CGI creates a file for the auth request that is handled by another process.
3. The handler of the authentication request authenticates the user. The session is created using the format /tmp/sess/guiAuth_{http}_{clientIP}_{userAgent}.
4. The browser is polling for the request of the authentication attempt. During this polling step, the mentioned file above is accessed with some pre-filled in parameters.

The vulnerability lies in how much we can control the session file. The polling step relies on the IP and a numeric (1-5) browser user agent to verify the user to check. As a result, an attacker on the same IP as the admin can constantly poll this call while the login attempt it occurring to hijack the session. This window is only about 1 second though.

This bug would be extremely hard to exploit. However, the author claims that this attack could be achieved from the browser. Hence, it would be possible to constantly run this attack from a malicious website.

The author recommends that a cryptographically secure random value be used instead of the user agent and IP address for the file name. As a result, this attack would no longer be possible.

Overall, this is a good article (with another auth bypass here via a hardcoded password). I do not consider the IP address to be controllable. But, it is an input that I should consider, even if there is an IP validation check happening.