Nginx and Tomcat Mutual Auth Bypass

I would like to share a common mistake on Nginx configuration which could lead to authentication bypass. We are going to try to bypass Nginx mutual authentication

Below is the Nginx configuration that we are going to explore for exploitation

We can see from the above configuration that accessing /manager/html, /admin/dashboard and /host-manager/html would go to the mutual authentication check first. if the client does not provide the required certificate then error 403 will be returned

Based on the research from this blackhat https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf that the two server (Nginx and Tomcat) will parse the http request differently thus lead to the known behaviour as below list

Exploitation

As we know that when we tried to access the tomcat admin page at https://domain/manager/html would required mutual authentication as shown in the Nginx configuration. According to the above parsing behaviour, We can do a little manipulation on the http request in order not to match with the url /manager/html in the Nginx with this http request /manager;name=orange/html/ where then be passed to the tomcat which to be interpreted as /manager/html

Conclusion

Making authentication is always good but you have to know the behaviour of each technology the strength and weaknesess to ensure the configuration that we expect will run properly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s