Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
Vendor: ICTFAX
Vendor URL: https://www.ictfax.org
Versions affected: ICTFax Version 4.0.2
Author: Derek StoeckeniusSummary
ICTFax is fax to email software maintained by ICTInnovations. In version 7-4 of this product, available through the CentOS software repository, an indirect object reference allows a user of any privilege level to change the password of any other user within the application – including administrators.
Impact
Successful exploitation of this vulnerability can allow a low-privilege user to access both administrative functions and user data from arbitrary users within the application.
Details
The application does not require the user to re-enter a password to change passwords within the application. The application uses sequential numbering to refer to users within the application for the purposes of altering passwords.
To replicate this issue:
1. Login to the application as a “user”
2. Replace the [bearer token] with a valid token from an authenticated user
3. Alter the [usernumber] field to a valid numerical user within the application.
Recommendation
ICTFax should require a user re-enter a password before making password changes within the application.
Vendor Communication
4/12/21 NCC Group made initial contact with ICT Innovations via their ticket system
4/13/21 Ticket assigned
4/16/21 NCC Group requested that communication continues via secure comms
4/23/21 ICT Innovations response asking NCC to email a head developer
4/27/21 NCC emails the head developer letting them know we would like to start a disclosure
5/1/21 No response from ICT Innovations so NCC opens up the original ticket requesting direction from ICT Innovations
6/1/21 No response from the ticket system so NCC reach's out to head developer again explaining that NCC would like to start a disclosure, citing our disclosure policy
7/7/21 NCC reaches out to ICT Innovations via email and their ticketing system, and informs them that we intend to publish the advisory on our blog in one week
7/22/21 Advisory publishedAbout NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: July 22 2021
Written by: Derek Stoeckenius