Authentication bypass in Cisco Meraki


It's been a long time since I've blogged about my findings, so here is one I found the other night. The vulnerability is APNS certificate verification bypass, which in turn gave me access to (through IDOR) to different management profiles of the networks of different users. Upon further research, it was found out that I was able to add my device to any user's network, though it was an edge case.

If you create a network as an EMM (systems manager), you have an option to add devices. I tried adding my iOS device, now the interface looked like this:

As you can see, we have an option to upload our APNS certificate. However, the server wasn't quite verifying the validity of this certificate. Uploading random shit would throw an error saying the cert was invalid, however I was able to bypass this by dropping the Burp request of the upload. It simply led me to the following screen.

Verification bypassed! Okay, moving on. Clicking on the next option gave away a screen like so-

You can see a `Download` option here. Now this option enables us to download our .mobileconfig file for use in iOS. However, the link, being made up of a numeric identifier was vuln to IDOR. So I could download management profiles of any user!

Now comes the interesting bug, I was testing this same functionality from a different account and I found out this:

1.) User A creates download link
2.) Attacker gains access to download link by enumerating (remember the IDOR bug)
3.) Attacker simply visits the link, device gets added in User A's account!

That's it for this one.



Popular Posts