关联漏洞
标题:
Kaiten 安全漏洞
(CVE-2024-41276)
描述:Kaiten是Kaiten公司的一个员工管理平台。 Kaiten 57.131.12版本及之前版本存在安全漏洞,该漏洞源于允许攻击者绕过PIN码身份验证机制,攻击者能够执行暴力攻击以猜测正确的PIN并获得对应用程序的未经授权的访问权限。
介绍
# CVE-2024-41276 (Kaiten Authentication Bypass)
[Kaiten](https://kaiten.ru/) - a workflow management system.
A vulnerability in Kaiten allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application.
**Details:**
Authentication mechanism use one factor sended on e-mail, without any password :)
Bypassing rate limits can be achieved by using the `X-Forwarded-For` header, which allows the `X-RateLimit-Remaining` counter to reset.
This method enables continued requests without receiving `HTTP 429 Too Many Requests` responses, which usually occur after multiple attempts.
So also there are no limits to request new PIN Code => attacker can guess pin code using brute force attack. Expiry time of PIN Code 5 minutes, there are attacker have got 5 minutes to try guess 6-digit PIN-Code.
With **~150 RPS** attacker can try **~45,000** PIN Codes. After all attempts with math calculcation success probability 50% can be reached with 33 minutes and 100% with 4 hours.
**Vulnerable versions:**
`<= 57.131.12`
**Links:**
[CVE MITRE Description](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41276)
[NVD CVE](https://nvd.nist.gov/vuln/detail/CVE-2024-41276)
## Usage
Simple download bash script and run with selected username _(only login, not e-mails!)_
```bash
bash CVE-2024-41276.sh <input_user> <kaiten.example.com>
```
As Result:
Successfull result => Obtain a valid cookie to futher usage
## Mitigation
- Update Kaiten software to last version
- Implement basic CAPTCHA or rate limits
- Block IP-address temporary
文件快照
[4.0K] /data/pocs/f242f1073b3bee9de8378c2e0b7bdb1adca5c544
├── [342K] brute_1.png
├── [123K] CVE-2024-41276_exploit.png
├── [2.9K] CVE-2024-41276.sh
├── [105K] no_limits.png
└── [1.9K] README.md
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。