CVE-2022-37177 PoC — HireVue Hiring Platform 加密问题漏洞

Source

Associated Vulnerability

Description

CVE-2022-37177 - HireVue-Broken-Or-Risky-Cryptographic-Algorithm

Readme

# CVE-2022-37177 - HireVue-Broken-Or-Risky-Cryptographic-Algorithm

When visiting the interview invite link that HireVue provides for an interview, you are directed to a terms page where you agree to the terms before beginning the recorded and timed interview process. This initial HTTP response includes the interview questions that will be asked during the interview encoded using a rail fence cipher. This is easily decrypted which provides access to all of the interview questions before actually starting the process. If you do not agree to the terms then the interview does not start so you can visit the link then leave as many times as you like until you agree to start the interview. HireVue's customers do not expect the interview questions to be known before the interview starts and an attempt at hiding them using a rail fence cipher is there but is a weak form of encryption.

*You can also gather other information from this HTTP response in plain text such as number of questions, max time to answer per question in seconds, number of attempts you have, prep time before recording starts, etc.*


Initial response from: *hiring-org-subdomain*.hirevue.com/interviews/*interview-ID*. You'll need to locate the section named questions that contains the encrypted questions in JSON format. The questions will be located in the text field. It will look like the portion of the HTTP response below.

...

            "questions": [
                {
                    "id": 123456,
                    "type": "video",
                    "text": "hsi htteqetoswl oklk hnecytduigari ec ihr Z25Ti swa h usin illo iewe nrpe sn  alfnecpe.(..)",
                    "maxDuration": 180,
                    "isRatable": true,
                    "minDuration": 10,
                    "prepTimeSeconds": 120,
                    "disableCopyPaste": false,
                    "secondsElapsed": 0,
                    "isAnswered": false,
                    "answer": null,
                    "attemptsAvailable": 3
                },
                {
                    "id": 654321,
                    "type": "video",
                    "text": "hsi htteqetoswl oklk hnecytduigari ec ihr digsm xr ethr o hsoe(..)Ti swa h usin illo iewe nrpe sn  alfnecpe.Adn oeetatx eefrti n G19",
                    "maxDuration": 180,
                    "isRatable": true,
                    "minDuration": 10,
                    "prepTimeSeconds": 120,
                    "disableCopyPaste": false,
                    "secondsElapsed": 0,
                    "isAnswered": false,

...

To decrypt the text portion with the question you can use https://www.boxentriq.com/code-breaking/rail-fence-cipher. You'll want to set the Rails to 2 and Offset to 0 then paste the text and decrypt. Note that you don't want to include the "text": portion at the beginning or the comma at the end (parts of the JSON format) and you may have to delete some characters off of the end such as the end quotation in the example above.

File Snapshot

 [4.0K]  /data/pocs/2fb7bba41c7d4e80a7f246589960eb61a35d604a
└── [3.0K]  README.md

0 directories, 1 file

Remarks