8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
73.6%
Hi DoD Team,
I hope you are doing good today.
This is a follow-up from my November 15th 2022 report number #1775217 (https://hackerone.com/reports/1775217)
In all respect and to be clear, I don’t want to push too hard or be annoying on this and feel free to tell me if you don’t want or need to take action on this.
Since my report #1775217 was left un-answered I felt I should open a new one since I feel this is serious matter.
>>Recap of my last report :
>>On November 15th 2022: I opened a report describing how I’ve found a set of credential publicly exposed from an ITSM system indexed in search engines.
>> On November 16th 2022 :I had a reply telling me that the credentials were valid but didn’t have any rights on the system so there was no impact.
>> On November 17th2022 : I had found another set of credentials exposed and I was able to successfully exploit CVE-2018-18862 from this.
>>This was left un-answered.
>>On February 12th 2023: The website was down and I left my report as such.
>>See : https://hackerone.com/reports/1775217 for all the details.
Today, to my surprise and while doing other searches I stumbled accross this website again.
I would like to reiterate the following :
>Today, May 16th 2023, the set of Credentials I had found at the time are still working :
>>Username: ████
>>Password: ███
>>Username: ████████
>>Password: ██████████
See screenshot 3, taken on May 16th 2023, the “█████████” credentials are still exposed.
█████
Here is the login page : https://████████/███████/shared/login.jsp
Today, May 16th 2023, I can still successfully exploit CVE-2018-18862 - Incorrect access control.
I decided to re-open the report for the following reasons :
-I thought about it a long time, since on my prior report I didn’t have any reply after the successful CVE exploitation and the new set of credentials found I judged it was worth having a 2nd look.
-Also, I thought the system was down but today I found out it was not.
In all good faith.
Best regards.
~pll25
https://nvd.nist.gov/vuln/detail/CVE-2018-18862
-An attacker can access the system with the rights of these users.
-I was able to list Roles.
-I am potentially able to create/read reports and probably do more but I stopped there because the POC is already proven.
-2 sets of credentials including valid username and passwords were leaked from this system on November 15th 2022.
BMC Remedy version unknown
CVE-2018-18862 - (CVSS V3.0 Score : 8.8 (HIGH), Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Step 1:
Let’s say we use the account “██████████”.
Login with the username and password on this page : https://██████/███/shared/login.jsp
(ScreenShot 1 from November 15th describes how I was able to obtain it).
███
Step 2 :
You should land on an Error web page telling that the file doesn’t exist.
The landing URL should look like this :
>>███████/█████/forms/arpcp/arpc:web:retirementsapplicationsubmission/default+administrator+view/$external%20report%20server%20url_glb$retirementapplication&rs:command=render&preportinstanceid=$536871212$&rs:format=pdf
Step 3 :
Here we can exploit CVE-2018-18862 : replace all the text after : /forms/arpc/ (the part of the URL in bold above) with :
>>/User/Default+Admin+View1/
Step 4:
You will now have access to the whole Remedy ITSM system.
From there you have successfully exploited CVE-2018-18862.
I was able to list Roles.
I am potentially able to create/read reports and probably do more but I stopped there because the POC is already proven.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
73.6%