What is Type Juggling?
Type Juggling (also known as Type Confusion) vulnerabilities are a class of vulnerabilities wherein an object is initialized or accessed as the incorrect type, allowing us as attackers to potentially bypass authentication or undermine the type safety of an application, possibly leading to arbitrary code execution.
A successful Type Juggling attack can result in the complete compromise of the confidentiality, integrity, and availability of the target system. For example, the type confusion vulnerability CVE-2015-0336 in Adobe Flash Player allows to us as attackers to execute arbitrary code, which could lead to unauthorized access or the modification of data.
Installing and Preparing lab
I will use my machine to practice this vulnerability.
cd /var/www/html
sudo service apache2 start
Then, we are going to create the main index.php at /var/www/html/. This is simply a PHP Form to validate admin credentials, with a remarkable strcmp function that expects to compare strings.
<html>
<font color="red"><center><h1>Secure Login Page</h1></center></font>
<hr>
<body style="background-color:powderblue;">
<center><form method="POST" name="<?php basename($_SERVER['PHP_SELF']); ?>">
Username: <input type="text" name="username" id="username" size="30">
Password: <input type="password" name="password" id="password" size="30">
<input type="submit" value="Login">
<hr>
</form>
</center>
<?php
$USER = "admin";
$PASSWORD = "adm1n!$!@@#!adminS_!@#";
// Validate empty fields
if (isset($_POST['username']) && isset($_POST['password'])) {
// Validate username
if ($_POST['username'] == $USER) {
// Validate password --> (Type Juggling vulnerable)
if (strcmp($_POST['password'], $PASSWORD) == 0) {
echo "[+] Welcome: admin";
} else {
echo "[!] Password incorrect";
}
} else {
echo "[!] Username incorrect";
}
}
?>
</body>
</html>
Attacking
Contextualizing
Let's use BurpSuite to find out what is happening behind the POST request.
So what is the problem when we use strcmp to compare strings?
This happens when we send an ARRAY which validates it by skipping validation.
Type Juggling in ==
Comparation
Another way to bypass password validation is when we use ==
comparison to validate passwords.
To explain this case let's modify our index.php at /var/www/html/.
This code uses an MD5 validation to verify the correct password.
<html>
<font color="red"><center><h1>Secure Login Page</h1></center></font>
<hr>
<body style="background-color:powderblue;">
<center><form method="POST" name="<?php basename($_SERVER['PHP_SELF']); ?>">
Username: <input type="text" name="username" id="username" size="30">
Password: <input type="password" name="password" id="password" size="30">
<input type="submit" value="Login">
<hr>
</form>
</center>
<?php
$USER = "admin";
// password hash
$PASSWORD = "0e8961261230981231269013";
// Validate empty fields
if (!empty($_POST['username']) && !empty($_POST['password'])) {
// Apply a md5 to password input
$password_input = md5($_POST['password']);
// Validate username and password (Type Juggling vulnerable)
if ($_POST['username'] == $USER && $password_input == $PASSWORD) {
echo "[+] Welcome: admin";
} else {
echo "[!] Username or password incorrect";
}
}
?>
</body>
</html>
So, the problem with ==
validation is that it resolves the hash as a mathematical operation.
For example, if the hash is 0e12123456789
then the ==
comparison will resolve it as 0^12123456789=0
.
So, how do we bypass the MD5 password validation?
First of all, we must find some value that if after being applied an MD5 will give us 0e...
Making a web search, we did find this website that shows us some magic hashes. Now, using this string aabg7XSs, let's try out it in the form.
I appreciate your time reading this write-up ๐ and I hope it has been valuable for your understanding of the topic, remember that this content does not come 100% from me. Writing this article is a way to reinforce my learning obtained from S4vitar's Hack4u courses ๐ฅ.