Roxy-WI LDAP Injection Vulnerability Leading to Authentication Bypass

A vulnerability exists in Roxy-WI versions through 8.2.8.2, allowing unauthenticated attackers to bypass authentication when LDAP authentication is enabled. The issue arises because Roxy-WI constructs LDAP search filters by directly concatenating user-supplied usernames without escaping special characters. This flaw enables attackers to inject LDAP metacharacters, manipulate the search query, and gain access to the application without a valid password. As of now, no patches are available.

Impact

Exploitation allows unauthenticated remote attackers to log into the Roxy-WI management interface as arbitrary LDAP-backed users. Depending on the user's role, this could grant immediate administrative access to managed servers, SSH credentials, service configurations, and internal network topology.

Reproduction

To reproduce this vulnerability, first ensure that LDAP authentication is enabled in Roxy-WI. Then, identify a valid local user linked to LDAP. Send a crafted login request that injects LDAP filter metacharacters into the username field. The constructed LDAP filter will manipulate the search query to bypass authentication. If successful, the application will respond with a JWT token, indicating that authentication has been bypassed.