Sahil OjhaDuring a VAPT engagement, I came across the eScan Management Console, version 14.0.1400.2281, which an organization was using to manage their endpoint security. While testing it, I found several vulnerabilities, and a few of them were serious enough to hand an attacker full control of the console.
Let me share some of the interesting CVEs that I discovered, with a short note on each, to keep this blog easy to read.
CVE-2023-33730: Privilege escalation
This vulnerability lived in the GetUserCurrentPwd function. While editing a user profile, the application returned the password of any user in plain text. By simply changing the UsrId parameter in the GET request, an attacker could read the credentials of any other user, including administrators. This made both vertical and horizontal privilege escalation possible.
CVE-2023-33731: Reflected Cross Site Scripting
A reflected XSS was present in the view dashboard detail feature. The type, subtype, and result parameters in the URL were reflected back without proper sanitization, so an attacker could inject malicious JavaScript through them. A victim who opened the crafted link could have their session cookie stolen, leading to account takeover.
CVE-2023-33732: Cross Site Scripting in the policy form
The New Policy assignment feature carried the same problem. Parameters such as type and txtPolicyType accepted unsanitized input, which allowed an attacker to run JavaScript in the context of an administrator and steal their session.
Security software runs with high trust on our machines, so it deserves the same scrutiny we give to everything else.
These were not the only issues. I found multiple other vulnerabilities in the same product, tracked under CVEs such as CVE-2023-31702, CVE-2023-31703, and CVE-2023-34835 through CVE-2023-34838, but I will not list them all here to keep this short.
Peace out!
Sahil