CVE-2022-22832
published 2022-02-06CVE-2022-22832: An issue was discovered in Servisnet Tessa 0.0.2. Authorization data is available via an unauthenticated /data-service/users/ request.
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.06%
96.1th percentile
An issue was discovered in Servisnet Tessa 0.0.2. Authorization data is available via an unauthenticated /data-service/users/ request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| servisnet | tessa | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to /data-service/users/ — no Authorization header required; any such request leaking user data indicates exploitation of CVE-2022-22832. ↗
- →Monitor for GET requests to /js/app.js followed by requests to /data-service/users/<id> — this is the recon pattern used by the exploit to extract usersessionid values. ↗
- →Detect POST requests to the users endpoint containing the hardcoded encrypted password value 'hxZ8I33nmy9PZNhYhms/Dg==' in the JSON body — this is the fixed password used by the exploit to create a rogue sysadmin account. ↗
- →Alert on Authorization header construction pattern: base64-encoded 'username:usersessionid' used as a Basic token to impersonate admin users without knowing their password. ↗
- →Detect POST requests to /api/auth/signin followed immediately by enumeration of /data-service/users/<incrementing numeric IDs> — indicates privilege escalation attempt via session hijacking. ↗
- →Flag responses from /data-service/users/<id> containing the string 'Sistem Admin' — the exploit specifically searches for this role name to identify admin accounts to hijack. ↗
- →Detect new user creation POST requests to the users endpoint where role_id=1 and role_name='Sistem Admin' — this is the payload used to add a rogue sysadmin. ↗
- ·The exploit requires an active admin session (usersessionid) to be present — if no admin is currently logged in, the privilege escalation step will fail. Detection based on session hijacking may miss attempts made during off-hours. ↗
- ·The exploit enumerates user IDs numerically starting from 0 up to the attacker's own userid — detection rules should account for sequential GET requests to /data-service/users/<n> from the same source IP. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Servisnet Tessa - Privilege Escalation (Metasploit)
exploitdb·2022-02-04·CVSS 9.8
CVE-2022-22833 [CRITICAL] Servisnet Tessa - Privilege Escalation (Metasploit)
Servisnet Tessa - Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Servisnet Tessa - Privilege Escalation (Metasploit)',
'Description' => %q(
This module exploits privilege escalation in Servisnet Tessa, triggered by add new sysadmin user with any user authorization .
An API request to "/data-service/users/[userid]" with any low-authority user returns other users' information in response.
The encrypted password information is included here, but privilage escelation is possible with the active sessionid value.
var token = Buffer.from(`${user.username}:${user.usersessionid}`, 'utf8').toString('base64');
The logic required for the Authoriz
Exploit-DB
Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)
exploitdb·2022-02-04·CVSS 7.5
CVE-2022-22832 [HIGH] Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)
Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasploit/framework/credential_collection'
require 'metasploit/framework/login_scanner/mqtt'
class MetasploitModule 'Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)',
'Description' => %q(
This module exploits MQTT creds dump vulnerability in Servisnet Tessa.
The app.js is publicly available which acts as the backend of the application.
By exposing a default value for the "Authorization" HTTP header,
it is possible to make unauthenticated requests to some areas of the application.
Even MQTT(Message Queuing Telemetry Transport) protocol connectio
No writeups or analysis indexed.
http://packetstormsecurity.com/files/165873/Servisnet-Tessa-Privilege-Escalation.htmlhttp://www.servisnet.com.tr/en/page/productshttps://www.exploit-db.com/exploits/50712https://www.pentest.com.tr/exploits/Servisnet-Tessa-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/165873/Servisnet-Tessa-Privilege-Escalation.htmlhttp://www.servisnet.com.tr/en/page/productshttps://www.exploit-db.com/exploits/50712https://www.pentest.com.tr/exploits/Servisnet-Tessa-Privilege-Escalation.html
2022-02-06
Published