Nuuo Central Management Server below version 2.4 has a flaw where it sends the heap address of the user object instead of a real session number when a user logs in. This can be used to reduce the keyspace for the session number from 10 million to 1.2 million, and with a bit of analysis it can be guessed in less than 500k tries. This Metasploit module does exactly that - it uses a computed occurrence table to try the most common combinations up to 1.2 million to try to guess a valid user session. This session number can then be used to achieve code execution or download files - see the other Nuuo CMS auxiliary and exploit modules. Note that for this to work a user has to be logged into the system.
c1949e906b9cc342b13ee1e7b1d1b1bacca9af763cdde96f15a79d10f4355c4dNUUO CMS suffers from directory traversal, predictable session token, unauthenticated remote code execution, and various other vulnerabilities. Multiple metasploit modules included and various versions are affected by the various vulnerabilities.
273126839ae6bdeeeeb0b494ac7067a5ea7b4bb5683ea0378c2a64b28c581aee
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed