Gruppo TIM | CVE-2022-45177 – LiveBox Collaboration vDesk

CVE-2022-45177 – LiveBox Collaboration vDesk

Vulnerability Description: Observable Response Discrepancy – CWE-204

Software Version: ≤v031

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45177

CVSv3: 7.5

Severity: High

Credits: Luca Borzacchiello, Andrea Carlo Maria Dattola, Massimiliano Ferraresi, Massimiliano Brolli

The Web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

Step-by-step instructions and PoC

An attacker, without authentication, through Collaboration vDesk, is able to understand the state of the server and the users inside through the "User Enumeration" vulnerability.

Affected Endpoints

· https://vdeskbridge.[REDACTED]/api/v1/vdeskintegration/user/isenableuser

· https://vdeskbridge.[REDACTED]/api/v1/sharedsearch?search=[NAME]+[SURNAME]

· https://vdesk.[REDACTED]/login

Below is the evidence with details of the vulnerability and the payloads used.

Payload used to exploit the vulnerability:

Figure 1 - Payload used to exploit the user enumeration vulnerability. By Iterating the username parameter, it is possible to verify, without any authentication, whether the user exists and can log in within the Collaboration vDesk system.

Click To Enlarge

Figure 2 - Pair of HTTP requests and responses showing how the user "secictma" exists

Click To Enlarge

Figure 3 - Figure demonstrating the existence of the user "secictma2"

Clik To Enlarge

Security Impact

A user can gain access to confidential information such as the presence of all users on the system by facilitating the password bruteforce phase or by exploiting other vulnerabilities such as "Multiple Broken Access Control".