Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/absholi7ly/Bypass-authentication-GitHub-Enterprise-Server

The authentication bypass vulnerability in GitHub Enterprise Server (GHES) allows an unauthorized attacker to access an instance of GHES without requiring pre-authentication. The vulnerability affects all GHES versions prior to 3.13.0.
https://github.com/absholi7ly/Bypass-authentication-GitHub-Enterprise-Server

Last synced: 3 months ago
JSON representation

The authentication bypass vulnerability in GitHub Enterprise Server (GHES) allows an unauthorized attacker to access an instance of GHES without requiring pre-authentication. The vulnerability affects all GHES versions prior to 3.13.0.

Awesome Lists containing this project

README

        

# Bypass-authentication-GitHub-Enterprise-Server CVE-2024-4985
The authentication bypass vulnerability in GitHub Enterprise Server (GHES) allows an unauthorized attacker to access an instance of GHES without requiring pre-authentication. The vulnerability affects all GHES versions prior to 3.13.0.

## Technical vulnerability details:
The vulnerability exploits a vulnerability in the way GHES handles encrypted SAML claims.
An attacker could create a fake SAML claim that contains correct user information.
When GHES processes a fake SAML claim, it will not be able to validate its signature correctly, allowing an attacker to gain access to the GHES instance.

## Poc:

Steps:
* Open your penetration tester.
* Create a Web Connection Request.
* Select the "GET" request type.
* Enter your GHES URL.
* Add a fake SAML Assertion parameter to your request. You can find an example of a fake SAML Assertion parameter in the GitHub documentation.
* Check the GHES response.
* If the response contains an HTTP status code of 200, it has successfully bypassed authentication using the fake SAML Assertion parameter.
* If the response contains a different HTTP status code, it did not succeed in bypassing authentication.

------------------------------------------------------------------
Note: I'm going to synthesize an example using a dummy URL (https://your-ghes-instance.com). Be sure to replace it with your real GHES URL.
In this example, we'll assume that your GHES URL is https://your-ghes-instance.com. We'll use a fake SAML Assertion parameter that looks like this:

```

https://your-ghes-instance.com


jdoe



urn:oasis:names:tc:SAML:2.0:methodName:password


Acme Corporation
[email protected]

```