Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-24709 PoC — Paradox Security Systems IPR512 代码注入漏洞

Source
https://github.com/DRAGOWN/CVE-2023-24709-PoC
Associated Vulnerability
Title:Paradox Security Systems IPR512 代码注入漏洞 (CVE-2023-24709)
Description:Paradox Security Systems IPR512是美国Paradox公司的一个提供通过网络来监控管理Paradox设备的通信模块。 Paradox Security Systems IPR512版本存在安全漏洞,该漏洞源于允许攻击者通过login.html和login.xml参数造成拒绝服务。
Description
In Paradox Security System IPR512 web panel, an unauthenticated user can input JavaScript string, such as </script> that will overwrite configurations in the file "login.xml" and cause the login form to crash and make it unavailable.
Readme
# Injection vulnerability in Paradox Security Systems IPR512 - CVE-2023-24709 PoC
In Paradox Security System IPR512 web panel, an unauthenticated user can input JavaScript string, such as <code></script></code> that will overwrite configurations in the file "login.xml" and cause the login form to crash and make it unavailable. 

**!!! WARNING !!! THE SCRIPT ACTUALLY DAMAGES THE SERVICE.**

**_Be aware that by following the exploitation steps manually and/or executing the exploitation script against any target, you acknowledge that you understand the potential risks, including possible damage to the system. The author of this script is not responsible for any type of harm, loss, or damage resulting from its use. Use the script at your own risk and ensure you have adequate backups and safeguards in place before proceeding._**

**Scripting Approach**
1. An example of successful attempt of exploitation

![screenshot](/img/pss_00.png)

2. An example of unsuccessful attempt of exploitation
   
![screenshot](/img/pss_01.png)




 
**Manual Approach**

1. The Paradox Security Systems IPR512 Account Management webpanel is accessible. Typing "admin" as a user.
  
![screenshot](/img/pss_1.png)
  
2. Intercepting request with BurpSuite.
  
![screenshot](/img/pss_2.png)

3. Changing "admin" with JavaScript tag <code></script></code>
  
![screenshot](/img/pss_3.png)

4. URL encoding <code></script></code> to bypass security filter and sending request.

![screenshot](/img/pss_4.png)

5. If accessing the login.xml isn't restricted, you can check that it is overwritten.
  
![screenshot](/img/pss_5.png)

6. The webpanel login form isn't accessible anymore as it is crashed.
  
![screenshot](/img/pss_6.png)

Code injection vulnerability in login.html in Web panel login page on IPR512 of the Paradox Security Systems product that allows a remote or local attacker to cause the web panel login page crash via injecting easy JavaScript code into login form page such as <code></script></code>.
File Snapshot

 [4.0K]  /data/pocs/0eb04ca85de1d56be55f24112ba863efce7c0a6e
├── [2.8K]  cve-2023-24709.sh
├── [4.0K]  img
│   ├── [ 74K]  pss_00.png
│   ├── [ 75K]  pss_01.png
│   ├── [ 41K]  pss_1.png
│   ├── [ 48K]  pss_2.png
│   ├── [ 49K]  pss_3.png
│   ├── [ 59K]  pss_4.png
│   ├── [ 29K]  pss_5.png
│   └── [ 25K]  pss_6.png
└── [2.0K]  README.md

1 directory, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.