ZimaOS Authentication Bypass Vulnerability in Login Function

An authentication bypass vulnerability has been identified in ZimaOS versions through 1.5.0. The issue arises because the application improperly validates passwords for certain system service accounts, including 'root', 'daemon', and 'www-data', among others. This flaw allows anyone who knows a username from this list to gain authenticated access by entering any password. The vulnerability exists in the login endpoint of the application.

Impact

Exploitation of this vulnerability allows attackers to gain full, unrestricted access to the application using common system usernames.

Reproduction

To reproduce this vulnerability, log into the application using a username from the list of affected system accounts. Enter any value in the password field and submit the login form. The application will grant access, demonstrating the authentication bypass. Alternatively, this vulnerability can be exploited using a curl command that sends a POST request to the login endpoint with a valid system username and an arbitrary password.

Remediation

To address this vulnerability, ensure that all user authentication requests are processed through a robust password verification mechanism that cryptographically hashes and compares the provided password against stored credentials. Remove any logic that exempts or handles system usernames differently from standard users.