module
Nuuo Central Management Server User Session Token Bruteforce
| Disclosed | Created |
|---|---|
| Oct 11, 2018 | Mar 19, 2019 |
Disclosed
Oct 11, 2018
Created
Mar 19, 2019
Description
Nuuo Central Management Server below version 2.4 has a flaw where it sends the
heap address of the user object instead of a real session number when a user logs
in. This can be used to reduce the keyspace for the session number from 10 million
to 1.2 million, and with a bit of analysis it can be guessed in less than 500k tries.
This module does exactly that - it uses a computed occurrence table to try the most common
combinations up to 1.2 million to try to guess a valid user session.
This session number can then be used to achieve code execution or download files - see
the other Nuuo CMS auxiliary and exploit modules.
Note that for this to work a user has to be logged into the system.
heap address of the user object instead of a real session number when a user logs
in. This can be used to reduce the keyspace for the session number from 10 million
to 1.2 million, and with a bit of analysis it can be guessed in less than 500k tries.
This module does exactly that - it uses a computed occurrence table to try the most common
combinations up to 1.2 million to try to guess a valid user session.
This session number can then be used to achieve code execution or download files - see
the other Nuuo CMS auxiliary and exploit modules.
Note that for this to work a user has to be logged into the system.
Author
Pedro Ribeiro [email protected]
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.