CVE-2023-0777
published 2023-02-10CVE-2023-0777: Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.09%
96.3th percentile
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 0 < 8.5.13 | 8.5.13 |
| concrete5 | concrete5 | >= 9.0.0 < 9.2.2 | 9.2.2 |
| modoboa | modoboa | < 2.0.4 | 2.0.4 |
| modoboa | modoboa | >= 0 < 2.0.4 | 2.0.4 |
| modoboa | modoboa | >= 0 < 47d17ac6643f870719691073956a26e4be0a4806 | 47d17ac6643f870719691073956a26e4be0a4806 |
| modoboa | modoboa_modoboa | >= unspecified < 2.0.4 | 2.0.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by matching POST requests to /api/v2/token/ with multipart/form-data Content-Type using the specific boundary string '25524418606542250161357131552' and User-Agent 'Anonymous'. ↗
- →Alert on successful authentication (HTTP 200) to /api/v2/token/ followed by access to /dashboard/ containing 'Hello admin' — indicates successful admin takeover via default credentials. ↗
- →Identify Modoboa instances exposed on the internet using Shodan query 'html:"Modoboa"' or favicon hash 1949005079, which are potential targets for this exploit. ↗
- →The exploit uses default credentials (username: admin, password: password) against the /accounts/login/ endpoint with a CSRF token extracted from the login page — monitor for login attempts with these credentials. ↗
- →The exploit performs brute-force at a rate-limited ~50 requests/second against /api/v2/token/ — monitor for high-frequency POST requests to this endpoint from a single source IP. ↗
- ·The vulnerability affects modoboa versions prior to 2.0.4 only; patched in commit 47d17ac6643f870719691073956a26e4be0a4806. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vendor_redhat3.9LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Concrete CMS allows unauthorized access because directories can be created with insecure permissions
ghsa·2023-11-17
CVE-2023-48648 [MEDIUM] Concrete CMS allows unauthorized access because directories can be created with insecure permissions
Concrete CMS allows unauthorized access because directories can be created with insecure permissions
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.
GHSA
Authentication Bypass in modoboa
ghsa·2023-02-10
CVE-2023-0777 [CRITICAL] CWE-305 Authentication Bypass in modoboa
Authentication Bypass in modoboa
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
OSV
Authentication Bypass in modoboa
osv·2023-02-10
CVE-2023-0777 [CRITICAL] Authentication Bypass in modoboa
Authentication Bypass in modoboa
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
OSV
CVE-2023-0777: Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2
osv·2023-02-10
CVE-2023-0777 CVE-2023-0777: Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
Red Hat
libarchive: Race condition in multi-threaded use of archive_write_disk_header() on posix based systems
vendor_redhat·2023-05-29·CVSS 3.9
CVE-2023-30571 [LOW] CWE-362 libarchive: Race condition in multi-threaded use of archive_write_disk_header() on posix based systems
libarchive: Race condition in multi-threaded use of archive_write_disk_header() on posix based systems
Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.
A vulnerability was found in libarchive. This issue can cause a race condition in a multi-threaded use of archive_write_disk_header() on posix based systems, which could allow implicit directory cre
No detection rules found.
Exploit-DB
modoboa 2.0.4 - Admin TakeOver
exploitdb·2023-04-06·CVSS 9.8
CVE-2023-0777 [CRITICAL] modoboa 2.0.4 - Admin TakeOver
modoboa 2.0.4 - Admin TakeOver
---
/* # Exploit Title: modoboa 2.0.4 - Admin TakeOver
# Description: Authentication Bypass by Primary Weakness
# Date: 02/10/2023
# Software Link: https://github.com/modoboa/modoboa
# Version: modoboa/modoboa prior to 2.0.4
# Tested on: Arch Linux
# Exploit Author: 7h3h4ckv157
# CVE: CVE-2023-0777
*/
package main
import (
"fmt"
"io/ioutil"
"net/http"
"os"
"strings"
"time"
)
func main() {
fmt.Println("\n\t*** ADMIN TAKEOVER ***\n")
host := getInput("Enter the target host: ")
username := getInput("Enter the Admin's Name: ")
passwordFile := getInput("Provide the path for Password-Wordlist: ")
passwords, err := readLines(passwordFile)
if err != nil {
fmt.Println("Error reading password file:", err)
os.Exit(1)
}
for _, password := range passwords {
data
Nuclei
modoboa 2.0.4 - Admin TakeOver
nuclei·CVSS 9.8
CVE-2023-0777 [CRITICAL] modoboa 2.0.4 - Admin TakeOver
modoboa 2.0.4 - Admin TakeOver
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
Template:
id: CVE-2023-0777
info:
name: modoboa 2.0.4 - Admin TakeOver
author: r3Y3r53
severity: critical
description: |
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
impact: |
Unauthenticated attackers can exploit authentication bypass using default credentials to gain administrator access and completely compromise Modoboa email server installations.
remediation: update to version 2.0.4
reference:
- https://huntr.dev/bounties/a17e7a9f-0fee-4130-a522-5a0466fc17c7/
- http://packetstormsecurity.com/files/171744/modoboa-2.0.4-Admin-Takeover.html
- https://github.com/modoboa/modoboa/commit/47d17ac6643f870719691073956a
Nuclei
Cloudpanel 2 < 2.3.1 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-35885 [CRITICAL] Cloudpanel 2 < 2.3.1 - Remote Code Execution
Cloudpanel 2
- |
POST /file-manager/backend/permissions HTTP/1.1
Host: {{Hostname}}
Cookie: clp-fm={{session}}
Content-Type: application/x-www-form-urlencoded
id=/htdocs/app/files/public/{{str1}}.php&permissions=0777
- |
GET /{{str1}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body_5
words:
- '{{md5(string)}}'
# digest: 490a00463044022029050df548594620337fb82a5523c2ccd3b3f55e7c5a6e7e41740e7f148d193602203d47844ccb146136285b9047ee3297895d8e5e5dcea79b470a3c062b0dfa7e4d:922c64590222798bb761d5b6d8e72950
http://packetstormsecurity.com/files/171744/modoboa-2.0.4-Admin-Takeover.htmlhttps://github.com/modoboa/modoboa/commit/47d17ac6643f870719691073956a26e4be0a4806https://huntr.dev/bounties/a17e7a9f-0fee-4130-a522-5a0466fc17c7http://packetstormsecurity.com/files/171744/modoboa-2.0.4-Admin-Takeover.htmlhttps://github.com/modoboa/modoboa/commit/47d17ac6643f870719691073956a26e4be0a4806https://huntr.dev/bounties/a17e7a9f-0fee-4130-a522-5a0466fc17c7
2023-02-10
Published