Technical Advisory – ICTFAX 7-4 – Indirect Object Reference

Vendor: ICTFAX
Vendor URL: https://www.ictfax.org
Versions affected: ICTFax Version 4.0.2
Author: Derek Stoeckenius

Summary

ICTFax is fax to email software maintained by ICTInnovations. In version 7-4 of this product, available through the CentOS software repository, an indirect object reference allows a user of any privilege level to change the password of any other user within the application – including administrators.

Impact

Successful exploitation of this vulnerability can allow a low-privilege user to access both administrative functions and user data from arbitrary users within the application.

Details

The application does not require the user to re-enter a password to change passwords within the application. The application uses sequential numbering to refer to users within the application for the purposes of altering passwords.

To replicate this issue:

1. Login to the application as a “user”

2. Replace the [bearer token] with a valid token from an authenticated user

3. Alter the [usernumber] field to a valid numerical user within the application.

Recommendation

ICTFax should require a user re-enter a password before making password changes within the application.

Vendor Communication

4/12/21 NCC Group made initial contact with ICT Innovations via their ticket system
4/13/21 Ticket assigned
4/16/21 NCC Group requested that communication continues via secure comms
4/23/21 ICT Innovations response asking NCC to email a head developer
4/27/21 NCC emails the head developer letting them know we would like to start a disclosure
5/1/21 No response from ICT Innovations so NCC opens up the original ticket requesting direction from ICT Innovations
6/1/21 No response from the ticket system so NCC reach's out to head developer again explaining that NCC would like to start a disclosure, citing our disclosure policy 
7/7/21 NCC reaches out to ICT Innovations via email and their ticketing system, and informs them that we intend to publish the advisory on our blog in one week 
7/22/21 Advisory published

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date: July 22 2021
Written by: Derek Stoeckenius

Published July 22, 2021July 22, 2021