Bypass Admin Authentication on Seq

Seq is a log server that runs on a central machine. The applications send structured events through a framework and the platform organize them in dashboards. This is an application used by most of the world’s biggest companies, such as Microsoft, Bosch, Allianz and Deloitte.

Researching the platform (version 4.1.17.0), I’ve found a Broken Authentication (https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication). This flaw allows a malicious user to assume other users’ identities temporarily or permanently. In my case, I managed to assume an admin identity.

Let me explain how I found it.

First I entered the application’s URL and got the login page:

Then, I tryed the “/api/” path and got some other paths:

So I decided to take a look at the path “api/users/”, unfortunately got nothing but denial:

With my hopes fading away, I decided to take a look at the HTTP requests and found an interesting path (api/settings/setting-isauthenticationenabled) with some JSON in the response body:

Reading carefully, I saw this “Value” key set as true. So I copied the entire JSON to the request body, changing the “Value” to false and the request method to PUT and sent it:

As my modified request returned a 200 response, my hopes started to rise again. To see if it had really worked, I went back to the path “api/users”:

As shown in the image above, I got access to all this information about the application’s users, including the admin’s. But that wasn’t enough.

So I went back to the root URL and there I was, logged in the application as admin without typing any credentials and with access of many sensitive information. Yes, the authentication got disabled by my modified PUT request.

After a while, I decided to make an exploit to this vuln, for fun and studies’ purpose. So, if you wanna take a look, here it is: https://www.exploit-db.com/exploits/45136/

Related CVE ID: CVE-2018–8096