Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-41276 PoC — Kaiten 安全漏洞

Source
https://github.com/artemy-ccrsky/CVE-2024-41276
Associated Vulnerability
Title:Kaiten 安全漏洞 (CVE-2024-41276)
Description:Kaiten是Kaiten公司的一个员工管理平台。 Kaiten 57.131.12版本及之前版本存在安全漏洞,该漏洞源于允许攻击者绕过PIN码身份验证机制,攻击者能够执行暴力攻击以猜测正确的PIN并获得对应用程序的未经授权的访问权限。
Readme
# CVE-2024-41276 (Kaiten Authentication Bypass)
[Kaiten](https://kaiten.ru/) - a workflow management system.
A vulnerability in Kaiten allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application.

**Details:**

Authentication mechanism use one factor sended on e-mail, without any password :)
Bypassing rate limits can be achieved by using the `X-Forwarded-For` header, which allows the `X-RateLimit-Remaining` counter to reset.

![](brute_1.png)

This method enables continued requests without receiving `HTTP 429 Too Many Requests` responses, which usually occur after multiple attempts. 

![](no_limits.png)

So also there are no limits to request new PIN Code => attacker can guess pin code using brute force attack. Expiry time of PIN Code 5 minutes, there are attacker have got 5 minutes to try guess 6-digit PIN-Code.
With **~150 RPS** attacker can try **~45,000** PIN Codes. After all attempts with math calculcation success probability 50% can be reached with 33 minutes and 100% with 4 hours.


**Vulnerable versions:**

`<= 57.131.12`


**Links:**

[CVE MITRE Description](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41276)

[NVD CVE](https://nvd.nist.gov/vuln/detail/CVE-2024-41276)

## Usage
Simple download bash script and run with selected username _(only login, not e-mails!)_

```bash
bash CVE-2024-41276.sh  <input_user> <kaiten.example.com>
```
As Result:
Successfull result => Obtain a valid cookie to futher usage

![Kaiten_sploit](CVE-2024-41276_exploit.png)


## Mitigation
- Update Kaiten software to last version
- Implement basic CAPTCHA or rate limits
- Block IP-address temporary
File Snapshot

 [4.0K]  /data/pocs/f242f1073b3bee9de8378c2e0b7bdb1adca5c544
├── [342K]  brute_1.png
├── [123K]  CVE-2024-41276_exploit.png
├── [2.9K]  CVE-2024-41276.sh
├── [105K]  no_limits.png
└── [1.9K]  README.md

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.