antMan < 0.9.1a - Authentication Bypass







Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.


# Exploit Title: antMan <= 0.9.0c Authentication Bypass
# Date: 02-27-2018
# Software Link:
# Version: <= 0.9.0c
# Tested on: 0.9.0c
# Exploit Author: Joshua Bowser
# Contact:
# Website:
# Category: web apps
1. Description
antMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.
2. Proof of Concept
The antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Java’s ProcessBuilder class to invoke, as root, a bash script called antsle-auth.

This script contains two critical defects that allow an attacker to bypass the authentication checks.  By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.

To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:

POST /login HTTP/1.1

username= > &password=%0a

You will now be successfully authenticated to antMan as the administrative root user.
3. Solution:
Update to version 0.9.1a