Advertisement






CITSmart ITSM 9.1.2.22 LDAP Injection

CVE Category Price Severity
CVE-2020-35775 CWE-90 $500 High
Author Risk Exploitation Type Date
Unknown Critical Remote 2021-04-15
CPE
cpe:cpe:/a:citsmart:itsm:9.1.2.22
CVSS EPSS EPSSP
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 0.0214 0.49884

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021040082

Below is a copy:

CITSmart ITSM 9.1.2.22 LDAP Injection
# Exploit Title: CITSmart ITSM 9.1.2.22 - LDAP Injection
# Google Dork: "citsmart.local"
# Date: 29/12/2020
# Exploit Author: skysbsb
# Vendor Homepage: https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html
# Version: < 9.1.2.23
# CVE : CVE-2020-35775

To exploit this flaw it is necessary to have at least one user/password previously registered, because the system checks (ldap bind) the first user returned in the ldap search. However, it returns the last user found in the search to the function that called it (logic error).

So, I call this problem an LDAP injection in conjunction with a programming logic error that allows you to authenticate to CITSmart ITSM with another valid user without needing to know the target user's password.

Affected versions: < 9.1.2.23
Fixed versions: >= 9.1.2.23

Using this LDAP query in the username field of login page you could login with the target_username account without knowing the target account password.

*)(|(sAMAccountName=valid_username)(sAMAccountName=target_username)

You must know at least one username/password because the autenticacaoAD() function at LDAPUtils.java class (package br.com.centralit.citcorpore.integracao.ad) will try to bind with the first user (valid_username) of the query result.

Vendor has acknowledge this vulnerability at ticket 5929 (https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html)

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum