cbcvebase.
CVE-2023-33243
published 2023-06-15

CVE-2023-33243: RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of…

PriorityP263high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
4.42%
90.1th percentile
RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.

Affected

1 ranges
VendorProductVersion rangeFixed in
starfacestarface<= 7.3.0.10

Detection & IOCsextracted from sources · hover to see the quote

pathjs/prettifier.js
url/jsp/index.jsp
url/login
url/rest/login
othersecret=<login>:<SHA512(username+version+nonce+SHA512(password))>
  • Monitor POST requests to /login with a 'secret' parameter containing a colon-separated value (username:hash) and an 'ack' parameter — this is the pass-the-hash login pattern for STARFACE web interface.
  • Monitor POST requests to /rest/login with JSON body containing 'loginType', 'nonce', and 'secret' fields (username:hash format) and the header 'X-Version: 2' — this is the pass-the-hash login pattern for the STARFACE REST API.
  • Detect reconnaissance GET requests to /rest/login (used to retrieve the nonce before a REST API pass-the-hash authentication attempt).
  • Alert on successful authentication (Set-Cookie response) to /login immediately preceded by a GET to /jsp/index.jsp from the same session, especially when the 'secret' field length matches a SHA512 hex digest (128 hex chars after the colon).
  • The JavaScript file js/prettifier.js is the client-side component that constructs the pass-the-hash 'secret' parameter; its presence and content can be used to fingerprint vulnerable STARFACE instances (versions 7.3.0.10 and earlier).
  • ·The attack requires prior knowledge of the SHA512 password hash (e.g., from database access or backup theft); it does not allow unauthenticated remote exploitation without the hash.
  • ·The partial fix in version 8.0.0.11 encrypts hashes before database storage but does NOT fully remediate the vulnerability — attackers with system-level access can extract the encryption key and decrypt hashes.
  • ·When Active Directory login is enabled, a different code path (forAD.encode) is used; the SHA512 pass-the-hash technique described applies only to the default non-AD login path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.