Search for hundreds of thousands of exploits

"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation"

Author

Exploit author

"William Summerhill"

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-07-07

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Exploit Title: BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation
# Date: 2020-07-06
# Exploit Author: William Summerhill
# Vendor homepage: https://www.globalradar.com/
# Version: BSA Radar - Version 1.6.7234.24750 and lower
# CVE-2020-14945 - Privilege Escalation
Description: A privilege escalation vulnerability exists within Global RADAR BSA Radar 1.6.7234.X that allows an authenticated, low-privileged user to escalate their privileges to administrator rights (i.e. the "BankAdmin" role) via a forged request to the SaveUser API.

Proof of Concept:
	The privilege escalation is achieved by saving the response of the GetUser request (from clicking the username in the top right). When this profile is saved it will send a request to the SaveUserProfile endpoint. This response can be saved and modified (while updating it as needed to escalate privileges to BankAdmin role) then sent to the SaveUser endpoint which is the endpoint used for admins to update privileges of any user. After successful privilege escalation, a user can then access the Administration features and modify the application or accounts, cause further damage to the application and users, or exfiltrate application data.

	HTTP Request PoC:
		POST /WS/AjaxWS.asmx/SaveUser

		{"user":
		{"UserID":<CURRENT USER ID>,"Username":"...","Firstname":"...","Lastname":"...","Email":"...","BranchID":"...","Role":"BANKADMIN","WireLimit":"XXXXXXX","BankID":"...","Permissions":["XXXXXXXXXXXXXXX"], <REMAINDER OF REQUEST HERE> } }

	The Role, WireLimit and Permissions parameters can be forged to forcefully change your current user permissions to elevate them to a higher role such as BankAdmin with full account modification permissions. 
	
Tested on: Windows

CVE: CVE-2020-14945

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14945
Release DateTitleTypePlatformAuthor
2020-07-26"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)"webappsmultiplebdrake
2020-07-26"Socket.io-file 2.0.31 - Arbitrary File Upload"webappsmultipleCr0wTom
2020-07-26"Bludit 3.9.2 - Directory Traversal"webappsmultiple"James Green"
2020-07-26"INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution"webappsmultiple"Patrick Hener"
2020-07-26"Bio Star 2.8.2 - Local File Inclusion"webappsmultiple"SITE Team"
2020-07-22"Sophos VPN Web Panel 2020 - Denial of Service (Poc)"webappsmultiple"Berk KIRAS"
2020-07-22"Docsify.js 4.11.4 - Reflective Cross-Site Scripting"webappsmultiple"Amin Sharifi"
2020-07-14"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)"webappsmultiple"Mehmet Ince"
2020-07-14"BSA Radar 1.6.7234.24750 - Local File Inclusion"webappsmultiple"William Summerhill"
2020-07-07"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation"webappsmultiple"William Summerhill"
Release DateTitleTypePlatformAuthor
2020-07-14"BSA Radar 1.6.7234.24750 - Local File Inclusion"webappsmultiple"William Summerhill"
2020-07-08"BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)"webappshardware"William Summerhill"
2020-07-07"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation"webappsmultiple"William Summerhill"
2020-06-24"BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting"webappsmultiple"William Summerhill"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48649/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.