CVE-2022-41471: Critical Vulnerability in 74cmsSE v3.12. Enables Low-Level Privileged Attackers to Hijack Super Administrator Account

CVE-2022-41471 is a critical vulnerability found in 74cmsSE v3.12., allowing authenticated attackers with low-level privileges to arbitrarily change the rights and credentials of the Super Administrator account. Exploiting this vulnerability could enable attackers to escalate their privileges, gain unauthorized access to sensitive data, and perform unauthorized actions on the vulnerable system.

Detailed Analysis

In 74cmsSE v3.12., attackers can exploit a vulnerability by abusing the user rights management functionality. The vulnerability originates from improper access control checks and input validation checks in the administrative interface. This allows low-privileged users to arbitrarily modify the rights and credentials of higher-privileged users, including the Super Administrator account.

The affected code snippet is as follows

if ($act=="domodify") {
  $id=$_POST['id'];
  $rights=$_POST['rights'];
  $sql="update ".$tablepre."members set rights='$rights' where id='$id'";
  $query=mysql_query($sql,$_conn);
  if(mysql_affected_rows() >= 1) {
    //...
  }
}

In the above code snippet, the $act variable is checked for the "domodify" value. If it matches, the value for $id and $rights are taken from the POST request, which ultimately allows the attacker to modify the rights of a target user by submitting a malicious POST request.

The attacker can send the following malicious POST request to escalate their privileges

POST /74cms/admin-rights-management.php
Content-Type: application/x-www-form-urlencoded
Content-Length: ... 

act=domodify&id=<TARGET_USER_ID>&rights=<NEW_RIGHTS>

In this request, <TARGET_USER_ID> should be replaced with the ID of the target user, usually the Super Administrator account, and <NEW_RIGHTS> should be replaced with the desired rights the attacker wishes to assign.

Exploit Details

To mitigate the vulnerability, the vendor has to apply strict access control checks and input validation for the administrative interface. Additionally, the vendor should enforce the principle of least privilege by ensuring users are only granted the minimum necessary rights required for their role.

Until the vendor releases a patch to remediate the vulnerability, administrators are advised to monitor the activities of low-privileged users and restrict access to the administrative interface to known and trusted individuals only.

References

1. CVE-2022-41471: NVD
2. 74cmsSE Homepage: 74cms.com

Conclusion

CVE-2022-41471 poses a serious threat to organizations running 74cmsSE v3.12., as authenticated attackers with low-level privileges can arbitrarily change the rights and credentials of the Super Administrator account. Until a patch is available, it is crucial for administrators to restrict access to the administrative interface and closely monitor user activities to mitigate any potential exploitation.

Timeline

Published on: 10/17/2022 14:15:00 UTC
Last modified on: 10/29/2022 02:57:00 UTC