关联漏洞
标题:
Crixp Opencrx 授权问题漏洞
(CVE-2020-7378)
描述:Crixp Crixp Opencrx是瑞士Crixp公司的一款对销售过程进行管理的建站系统。该系统基于Java的客户端的Java API和兼容Swagger的RESTful API,可用于销售,服务,市场营销,联系中心和问题管理等场景。 CRIXP OpenCRX version 4.30版本及5.0-20200717之前版本存在安全漏洞,该漏洞源于存在未经验证的密码更改漏洞。攻击者可利用该漏洞可以将任何用户的密码(包括admin-Standard)更改为所选的任何值。
介绍
## CVE-2020-7378 – OpenCRX Predictable Password Reset Token and XXE Exploit
This repository contains a combined proof-of-concept (PoC) exploit for **CVE-2020-7378**, a critical vulnerability in **OpenCRX** (versions up to and including 5.0-20200717). The exploit chains two core issues in the application:
1. A **predictable password reset token** vulnerability due to reliance on `java.util.Random`, which allows attackers to generate valid tokens based on a millisecond timestamp seed.
2. A **blind XML External Entity (XXE)** vulnerability in the `RestServlet` endpoint that permits remote file disclosure from the server’s filesystem.
The combination of these two flaws enables an unauthenticated attacker to gain administrative access and exfiltrate sensitive server-side files.
---
### Vulnerability Details
* **CVE ID**: [CVE-2020-7378](https://nvd.nist.gov/vuln/detail/CVE-2020-7378)
* **Affected Product**: OpenCRX ≤ 5.0-20200717
* **Attack Surface**: Publicly exposed management and REST interfaces
* **Root Causes**:
* Insecure pseudo-random token generation during password resets
* Unsafe XML parsing in REST API endpoints
* **Impact**:
* Unauthorized password resets for arbitrary users (including admin)
* Arbitrary file read via XXE injection
* **CVSS**: 9.1 (Critical)
---
### Included Components
* `opencrx-exploit.py`: Full-chain exploit script that performs both token prediction and XXE file read.
* `OpenCRXToken.java`: Java class that emulates the token generation logic using a brute-force seed range based on request timing.
### Usage
1. Compile the token generator:
```bash
javac OpenCRXToken.java
```
2. Run the exploit:
```bash
python3 opencrx-exploit.py <target_user_id>
```
This will:
* Generate and test valid password reset tokens based on the timing window.
* Reset the target user’s password.
* Trigger an XXE payload via the REST API to read a sensitive file from the server.
文件快照
[4.0K] /data/pocs/c7648a99e1ce8c2e6afdd85ccf655173b583678c
├── [2.5K] opencrx-reset-spray.py
├── [ 732] OpenCRXToken.java
└── [1.9K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。