Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

By -

 


Enjay CRM is a collection which contains the CRM software along with Linux Ubuntu, however normal user don't have access to the underlying OS. Once the OS boots its runs the Enjay CRM software which has multiple read-only options. 

However some of these options opens a terminal to perform a specific activity, This terminal is unrestricted and user can access the underlying OS as a ROOT and can run any command on OS.

Underlying OS can be accessed using two methods; Also CVEs are assigned to these findings.

1. Using Ping menu (CVE-2024-41308): it will open a terminal and user can click on File menu -> New Tab/New window. And root level terminal will be open.

2. Using Hardware info (CVE-2024-41309): Once the Hardware info page opens click on Help menu and either select "Open HardInfo Website" or "Report bug", it will open an unrestricted terminal where user can click on File menu -> New Tab/New window. And root level terminal will be open.

Both the vulnerabilities are closed in latest version of CRM OS 1.1 and latest.

Enjay CRM interface:


------------------------------------------Method # 1----------------------------------------------------
Technical Details:

1. Terminal Access with Ping menu:

The software's feature to ping a host inadvertently allows users to escape the restricted terminal environment, granting unauthorized access to the underlying operating system or full terminal access.

Click on Ping Button input any IP and number of pings.


Once user click on Ping button it will open a terminal which can be escaped and New terminal can be open as a root permission as shown below.


And it will open another terminal as shown below.



------------------------------------------Method # 2----------------------------------------------------

Technical Details:

2. Terminal Access with Hardware info menu:

The Software allow readonly access to check the OS/Hardware and other information using Hardinfo software, However there an option of "reporting bug" or "opening Hardinfo website". Since there is no browser installed in the OS these option by default opens the terminal using it we can access the restricted terminal.


Click on Hardware info it will popup the info software. Click on Hardinfo website or Report bug.

It will open the Terminal, in this terminal user can click on File menu -> New Tab/New window. And root level terminal will be open.


Root terminal is opened.


Thanks

Comments

Post a Comment

Popular posts from this blog

GRANDING UTime Master - IDOR (CVE-2023-45393)

By -
Image
  Hi All, I was able to identify IDOR Vulnerability in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ).  CVE ID: CVE-2023-45393 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Using IDOR any user of the application can fetch Logs which are only meant to be accessible to administrators only. These logs also contains sensitive information like user password which is used to do the attendance by employees. Login to UTime Master using any account. Capture the request in burpsuite with the valid cookies. modify the URL to "/base/adminlog/table/?page=1&limit=200" Forward the request and it will fetch all the admin logs. IDOR has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.
Read more

GRANDING UTime Master - Stored XSS (CVE-2023-45391)

By -
Image
  Hi All, I was able to identify stored XSS in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ). CVE ID: CVE-2023-45391 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Login to UTime Master using admin account Click on Personnel > Employee Management >Employee Select Any employee or create a new employee In First name Section embed you payload. For test case I used "/><img src=a onerror=alert(22)> XSS payload embedded in EMP NAME field. Save the employee details, Once the page refreshed it will execute your payload. our payload executed successfully. I have also observed multiple other fields are also vulnerable to XSS e.g. Device Name, Department etc. XSS has been fixed in la
Read more

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

By -
Image
Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef
Read more