Skip to content

Instantly share code, notes, and snippets.

@merhawi023

merhawi023/mk-auth vulnerabilities discovered

Last active January 5, 2024 13:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save merhawi023/a1155913df3cf0c17971b0fb7dcd8f20 to your computer and use it in GitHub Desktop.
Save merhawi023/a1155913df3cf0c17971b0fb7dcd8f20 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
mk-auth vulnerabilities discovered
[description]
An issue was discovered in MK-AUTH 19.01. The web login functionality
allows an attacker to bypass authentication and gain client privileges
via SQL injection in central/executar_login.php.
------------------------------------------
[Additional Information]
the script central/executar_login.php had poor sql query construction,
that if manipulated results in gaining access without password
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
mk-auth
------------------------------------------
[Affected Product Code Base]
mk-auth - 19.1
------------------------------------------
[Affected Component]
mk-auth web client login scripts
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[CVE Impact Other]
get client access , get logged in as client
------------------------------------------
[Attack Vectors]
one must only send a well crafted http request
------------------------------------------
[Discoverer]
Merhawi Solomon Gebrekidan (nitusan)
------------------------------------------
[Reference]
http://mk-auth.com.br/page/changelog-1
Use CVE-2020-14068.
[description]
An issue was discovered in MK-AUTH 19.01.
There are SQL injection issues in mkt/ PHP scripts, as demonstrated by
arp.php, dhcp.php, hotspot.php, ip.php, pgaviso.php,
pgcorte.php, pppoe.php, queues.php, and wifi.php.
------------------------------------------
[Additional Information]
mkt/arp.php,mkt/dhcp.php ,mkt/hotspot.php,mkt/ip.php,mkt/pgaviso.php
,mkt/pgcorte.php,mkt/pppoe.php,mkt/queues.php,mkt/wifi.php and many
more endpoints directly append user controlled data in to sql queries
and execute them
------------------------------------------
[Vulnerability Type]
SQL Injection
------------------------------------------
[Vendor of Product]
mk-auth
------------------------------------------
[Affected Product Code Base]
mk-auth - 19.1
------------------------------------------
[Affected Component]
multiple endpoints are vulnerable to sqli because of shared code
------------------------------------------
[Attack Type]
Physical
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
a well crafted HTTP request
------------------------------------------
[Discoverer]
Merhawi Solomon Gebrekidan (nitusan)
------------------------------------------
[Reference]
http://mk-auth.com.br/page/changelog-1
Use CVE-2020-14069.
[description]
An issue was discovered in MK-AUTH 19.01.
There is authentication bypass in the web login functionality
because guessable credentials to admin/executar_login.php result in
admin access.
------------------------------------------
[Additional Information]
the script admin/executar_login.php has a hard coded user and a poor
password generation practice that can be easily replicated and accessed
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
mk-auth
------------------------------------------
[Affected Product Code Base]
mk-auth - 19.1
------------------------------------------
[Affected Component]
mk-auth web admin login scripts
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[CVE Impact Other]
gain admin access , get logged in as admin
------------------------------------------
[Attack Vectors]
one must only send a well crafted http request
------------------------------------------
[Discoverer]
Merhawi Solomon Gebrekidan (nitusan)
------------------------------------------
[Reference]
http://mk-auth.com.br/page/changelog-1
Use CVE-2020-14070.
[description]
An issue was discovered in MK-AUTH 19.01.
XSS vulnerabilities in admin and client scripts allow an
attacker to execute arbitrary JavaScript code.
------------------------------------------
[Additional Information]
multiple endpoints take user controlled inputs and directly reply them
to the user without sanitization ,resulting in a cross-site-scripting
vulnerability
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
mk-auth
------------------------------------------
[Affected Product Code Base]
mk-auth - 19.1
------------------------------------------
[Affected Component]
multiple admin and client scripts
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[CVE Impact Other]
xss can be used for a mu
------------------------------------------
[Attack Vectors]
a well crafted HTTP request
------------------------------------------
[Discoverer]
Merhawi Solomon Gebrekidan (nitusan)
------------------------------------------
[Reference]
http://mk-auth.com.br/page/changelog-1
Use CVE-2020-14071.
[description]
An issue was discovered in MK-AUTH 19.01.
It allows command execution as root via shell metacharacters to /auth
admin scripts.
------------------------------------------
[Additional Information]
multiple scripts inside the /auth path take user controlled parameters
and append them to commands that will eventually get executed by using
shell_exec and exec , which results in remote root command execution
------------------------------------------
[VulnerabilityType Other]
Shell Metacharacter Injection
------------------------------------------
[Vendor of Product]
mk-auth
------------------------------------------
[Affected Product Code Base]
mk-auth - 19.1
------------------------------------------
[Affected Component]
multiple endpoints in the /admin directory (path) are vulnerable to
command execution
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
a well crafted HTTP request
------------------------------------------
[Discoverer]
Merhawi Solomon Gebrekidan (nitusan)
------------------------------------------
[Reference]
http://mk-auth.com.br/page/changelog-1
Use CVE-2020-14072.
@lopes84
Copy link

lopes84 commented Jan 5, 2024

Could you make the poc available?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment