Vendor: ICTFAX Vendor URL: https://www.ictfax.org Versions affected: ICTFax Version 4.0.2 Author: Derek Stoeckenius
ICTFax is fax to email software maintained by ICTInnovations. In version 7-4 of this product, available through the CentOS software repository, an indirect object reference allows a user of any privilege level to change the password of any other user within the application – including administrators.
Successful exploitation of this vulnerability can allow a low-privilege user to access both administrative functions and user data from arbitrary users within the application.
The application does not require the user to re-enter a password to change passwords within the application. The application uses sequential numbering to refer to users within the application for the purposes of altering passwords.
To replicate this issue:
1. Login to the application as a “user”
2. Replace the [bearer token] with a valid token from an authenticated user
3. Alter the [usernumber] field to a valid numerical user within the application.
ICTFax should require a user re-enter a password before making password changes within the application.
4/12/21 NCC Group made initial contact with ICT Innovations via their ticket system 4/13/21 Ticket assigned 4/16/21 NCC Group requested that communication continues via secure comms 4/23/21 ICT Innovations response asking NCC to email a head developer 4/27/21 NCC emails the head developer letting them know we would like to start a disclosure 5/1/21 No response from ICT Innovations so NCC opens up the original ticket requesting direction from ICT Innovations 6/1/21 No response from the ticket system so NCC reach's out to head developer again explaining that NCC would like to start a disclosure, citing our disclosure policy 7/7/21 NCC reaches out to ICT Innovations via email and their ticketing system, and informs them that we intend to publish the advisory on our blog in one week 7/22/21 Advisory published
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: July 22 2021
Written by: Derek Stoeckenius