CVE-2024-54820 PoC — XOne Web Monitor 安全漏洞

Source

https://github.com/jcarabantes/CVE-2024-54820

Associated Vulnerability

Title:XOne Web Monitor 安全漏洞 (CVE-2024-54820)
Description:XOne Web Monitor是XOne公司的一个监控仪表盘。 XOne Web Monitor v02.10.2024.530版本存在安全漏洞，该漏洞源于存在SQL注入漏洞，允许攻击者通过特制输入窃取所有用户名和密码。

Description

Vuln disclosure for XOne app

Readme

# Vulnerability: Unauthenticated SQL Injection - Clear Credentials Dump

**Author**: Javier Carabantes

**Affected Software**: `XOne Web Monitor`

**Software**: `https://xone.es/`

**Affected Version**: 02.10.2024.530 framework 1.0.4.9 


## Description
An unauthenticated SQL injection vulnerability has been discovered in the login functionality of `XOne Web Monitor` version 02.10.2024.530 framework 1.0.4.9 . This flaw allows attackers to exploit improper handling of user input during the authentication process to extract all stored usernames and passwords. Specifically, the login endpoint's design allows attackers to manipulate a `WHERE` clause through a vulnerable input parameter.

## Affected Endpoint
`/webcore/api/itf/DoAction`

## Proof of Concept
The following demonstrates how the vulnerability can be exploited using a crafted `POST` request to the vulneranle version:
![Login](img/login.png)

When an invalid login is provided, like "test:test", the following request is sent

### Request
```http
POST /webcore/api/itf/DoAction HTTP/1.1
Host: redacted:44330
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://redacted:44330/
Content-Type: application/json
Authorization: Bearer redacted
Content-Length: 124
Origin: http://redacted:44330
Connection: keep-alive

{"action":"select","count":false,"page":{},"coll":"Usuarios","macros":{},"where":"(LOGIN='test')","sort":"","loadall":false}
```
Notice how the password is not send and the username is wrapped in a where property.
Changing the operator of the LOGIN field will give the full list of users and password in clear text:

### Burp Suite Example
![Cred dump](img/dump.png)

The response reveals the list of all usernames and their corresponding passwords stored in the database.
Any user has the ability to access and get sensitive data (customers, employee position, etc).

![Sensitive data](img/data.png)

## Additional Notes
This SQL injection vulnerability also supports the use of UNION queries in MSSQL, allowing attackers to enumerate and retrieve data from other tables in the database.

![union select](img/union.png)

The same injection allows LFD if the attacker knows the absolute path, example of reading C:/windows/system32/grouppolicy/machine/registry.pol, a privileged file:

![LFD](img/lfd.png)

## Disclaimer
The vendor was notified of this vulnerability during the week of **11/11/2024**. 

The webpage shown in the PoC has been unpublished.

File Snapshot


 [4.0K]  /data/pocs/4b2cc594aa5c1eb2935d1c9db769e8088aeb5e8b
├── [4.0K]  img
│   ├── [145K]  data.png
│   ├── [ 78K]  dump.png
│   ├── [220K]  lfd.png
│   ├── [ 64K]  login.png
│   ├── [  13]  README.md
│   └── [104K]  union.png
└── [2.5K]  README.md

1 directory, 7 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!