My CVE that will never be — [0day write-up]

It has been over four months and I have yet to hear anything from CVE MITRE team. I have made the vendor aware of this, and they acknowledged the issue, but they decided that it’s a non-security issue since there is a dependency on the key-length that is required to be brute-forced; so, I decided to disclose it here on my blog.

Please note that I’m not sure if their most recent changes and updates fixed this issue, but at the time of discovery, it essentially bypasses a “Self-registration ” restriction that has been put in place on the free version of WebADM via HTTP smuggling.

Timeline

April 29, 2021 —

Discovered HTTP smuggling vulnerabilityLooked around on the world wide web — and nothing of similar vulnerability was disclosedReport createdVendor notified

April 30, 2021 —

Vendor acknowledged and looked into itResponse received from vendorMy responseVendor’s responseMy response “This would go across all OTP method from physical, to other methods available (let’s use mobile for example) — are users receiving OTP from mobile also receiving 32 hex decimal characters = 16 ascii characters. The reason I am asking is that, if One of the OTP Methods allow customers to change the strength of the key length (or have different lengths for each otp method) to something shorter, using this bypass technique, it might still be possible to brute-force given the time and a tweak in the request duration given for the brute force.”

May 3, 2021 — No response from vendor

CVE submittedNo response from vendor

July 28, 2021 —

Writing of this article.

In a regular workflow, there are two options presented to the user. “Use self-service desk” and “self-registration”. Navigate to the affected site (WebADM free version) and select “User Self-Registration” (https://webadm.client.com/selfreg/index.php) and if it is restricted, this image will be presented

2. In your browser, navigate and capture the request of “User Self-Service Desk” using Burp Suite and send that to repeater.

3. Go back to the main page and once again select “User Self-Registration” while intercepting the request with BurpSuite

4. Rather than your normal HTTP smuggling, we need to modify the request by injecting the HTTP request of “Self-Service Desk” into the first half of the request as follow rather than after:

5. The request will go through and the next page will be presented:

To weaponize this, an attacker could deploy a free version of WebADM (rcdevs) and see the the HTTP request schema/structure on how the OTP is usually submitted on a regular workflow. Should an attacker know the format of the OTP parameter, it may be feasible (or not) to brute force the OTP and bypass the restriction implemented on the user self-registration function. Allowing an attacker to register themselves onto the application.