CVE-2022-26629 PoC — SoroushPlus Messenger 访问控制错误漏洞

Source

https://github.com/sysenter-eip/CVE-2022-26629

Associated Vulnerability

Title:SoroushPlus Messenger 访问控制错误漏洞 (CVE-2022-26629)
Description:SoroushPlus Messenger是Setak Houshmand Sharif个人开发者的一个即时通讯应用程序。 SoroushPlus Messenger 1.0.30 版本 Lock Screen Security Feature 功能存在访问控制错误漏洞，该漏洞源于权限和权限不足，存在访问控制漏洞。攻击者可以绕过锁屏功能。

Readme

# Lock Screen Bypass

## CVE-2022-26629

### Affected Products

- SoroushPlus+ Messenger 1.0.30

### Vulnerability Type

Improper Access Control

### Impact

Lock Screen Bypass

### Summary

Improper handling of insufficient permissions and privileges allows an attacker to modify and overwrite the lock screen functionality causing it to be bypassed without any authorization.

## Exploitation

[BypassLockScreen.py](Lock%20Screen%20Bypass/BypassLockScreen.py)

### Auto Exploit PoC

1. Drop `BypassLockScreen.py` to the your SoroushPlus+ installation directory,
2. Run `Python3 BypassLockScreen.py`.

### **Tested Environments**

- Windows
- Linux

### Demo

![PoC.gif](PoC.gif)

File Snapshot


 [4.0K]  /data/pocs/0c3d75b9ad25dc0f34379781ae209f687c8188aa
├── [4.0K]  Lock Screen Bypass
│   └── [2.6K]  BypassLockScreen.py
├── [3.6M]  PoC.gif
└── [ 681]  README.md

1 directory, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!