mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-19 17:44:47 +00:00
93 lines
6.1 KiB
Markdown
93 lines
6.1 KiB
Markdown
|
# UUID Insecurities
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
## Basic Information
|
|||
|
|
|||
|
Universally Unique Identifiers (UUIDs) are **128-bit numbers used to uniquely identify information** in computer systems. UUIDs are essential in applications where unique identifiers are necessary without central coordination. They are commonly used as database keys and can refer to various elements like documents and sessions.
|
|||
|
|
|||
|
UUIDs are designed to be unique and **hard to guess**. They are structured in a specific format, divided into five groups represented as 32 hexadecimal digits. There are different versions of UUIDs, each serving different purposes:
|
|||
|
|
|||
|
* **UUID v1** is time-based, incorporating the timestamp, clock sequence, and node ID (MAC address), but it can potentially expose system information.
|
|||
|
* **UUID v2** is similar to v1 but includes modifications for local domains (not widely used).
|
|||
|
* **UUID v3 and v5** generate UUIDs using hash values from namespace and name, with v3 using MD5 and v5 using SHA-1.
|
|||
|
* **UUID v4** is generated almost entirely randomly, providing a high level of anonymity but with a slight risk of duplicates.
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Note that the version and subversion of the UUID usually appears in the same possition inside the UUID. For example in:\
|
|||
|
12345678 - abcd - 1a56 - a539 - 103755193864\
|
|||
|
xxxxxxxx - xxxx - Mxxx - Nxxx - xxxxxxxxxxxx
|
|||
|
|
|||
|
* The **position of the M** Indicates the UUID **version**. In the example above, it’s UUID v**1**.
|
|||
|
* The **position of the N** Indicates the UUID variant.
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
## Sandwich attack
|
|||
|
|
|||
|
The "Sandwich Attack" is a specific type of attack that **exploits the predictability of UUID v1 generation in web applications**, particularly in features like password resets. UUID v1 is generated based on time, clock sequence, and the node's MAC address, which can make it somewhat predictable if an attacker can obtain some of these UUIDs generated close in time.
|
|||
|
|
|||
|
### Example
|
|||
|
|
|||
|
Imagine a web application that uses UUID v1 for generating password reset links. Here’s how an attacker might exploit this to gain unauthorized access:
|
|||
|
|
|||
|
1. **Initial Setup**:
|
|||
|
|
|||
|
* The attacker has control over two email accounts: \`attacker1@acme.com\` and \`attacker2@acme.com\`.
|
|||
|
* The target's email account is \`victim@acme.com\`.
|
|||
|
|
|||
|
2. **Execution**:
|
|||
|
|
|||
|
* The attacker triggers a password reset for their first account (\`attacker1@acme.com\`) and receives a password reset link with a UUID, say \`99874128-7592-11e9-8201-bb2f15014a14\`.
|
|||
|
* Immediately after, the attacker triggers a password reset for the victim's account (\`victim@acme.com\`) and then quickly for the second attacker-controlled account (\`attacker2@acme.com\`).
|
|||
|
* The attacker receives a reset link for the second account with a UUID, say \`998796b4-7592-11e9-8201-bb2f15014a14\`.
|
|||
|
|
|||
|
3. **Analysis**:
|
|||
|
|
|||
|
* The attacker now has two UUIDs generated close in time (\`99874128\` and \`998796b4\`). Given the sequential nature of time-based UUIDs, the UUID for the victim's account will likely fall between these two values.
|
|||
|
|
|||
|
4. **Brute Force Attack:**
|
|||
|
|
|||
|
* The attacker uses a tool to generate UUIDs between these two values and tests each generated UUID by attempting to access the password reset link (e.g., \`https://www.acme.com/reset/\<generated-UUID>\`).
|
|||
|
* If the web application does not adequately rate limit or block such attempts, the attacker can quickly test all possible UUIDs in the range.
|
|||
|
|
|||
|
5. **Access Gained:**
|
|||
|
|
|||
|
* Once the correct UUID for the victim's password reset link is discovered, the attacker can reset the victim's password and gain unauthorized access to their account.
|
|||
|
|
|||
|
### Tools
|
|||
|
|
|||
|
* You can perform the sandwich attack automatically with the tool: [**https://github.com/Lupin-Holmes/sandwich**](https://github.com/Lupin-Holmes/sandwich)
|
|||
|
* You can detect these type of UUIds in Burp Suite with the extension [**UUID Detector**](https://portswigger.net/bappstore/65f32f209a72480ea5f1a0dac4f38248).
|
|||
|
|
|||
|
## References
|
|||
|
|
|||
|
* [https://versprite.com/blog/universally-unique-identifiers/](https://versprite.com/blog/universally-unique-identifiers/)
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|