Cisco BroadWorks Vulnerabilities CVE-2021–34785 & CVE-2021–34786

Describing Cisco's Broadworks bugs in more details and explaining the issue and the mitigation.

Hello Everyone! Today I will talk about my last findings at Cisco products BroadSoft BroadWorks, one of Cisco's products. I’ve discovered 2 CVEs at it and assigned them as

1. CVE-2021–34785: IDOR lead to privileges escalation “Admin account takeover”

2. CVE-2021-34786: IDOR lead to delete arbitrary admin user accounts

I will not talk about the full story or something similar because I hate these useless words 😅 So let’s get started directly with the exploits and the conditions.

Content

1. BroadWorks structure

2. CVE-2021–34785

3. CVE-2021–34786

4. Weakness points

BroadWorks structure

At BroadWorks, we have an Admins group which have admins with write and read privileges and other admins with read-only privileges.

1. Read and Write: he can modify his data and other admins' data. Also, he can add users, change system preferences, delete users, and fully control the system

2. Read-only: he can modify his data and delete his account. He doesn’t have any other privileges “In my case”

I’ve got the second role (Read-only) and my task is trying to escalate my privileges to have Read and Write actions.

CVE-2021–34785

If you tried to view system users, we have 2 users: Admin and PentestAdmin. My user is PentestAdmin which has low privileges, reads his data only. User Admin has full control of the system

I tried to enumerate the admin account to know what allowed functions, but unfortunately! There’s no allowed function to use at the Admin profile, I can view the data only, but at ll, I know the firstname, lastname and adminID

After that, I tried to enumerate my account and found that I have 2 allowed functions delete the account and change the password without asking you for your old password, weird right?!

I entered a new password and intercepted the request to know what’s the request parameters. I’ve found that we have firstname, lastname and loginid required parameters because I tried to delete loginid but unfortunately! The request failed

At all, it’s not a problem because I have privileges to read all users' data, so I know this data from the admin profile.

The final step is replacing your data with Admin data and sending the request. It returns 200 OK and to check, I tried to log in with the new password, and Bingo! You take over the admin account by changing his password ❤

Me with my friend after success ❤

To make POC, I’ve created a new user SecmeterPOC with writing and reading privileges.

After reviewing the Admin board

CVE-2021–34786

With the same methodology, I tried to delete my account and intercept the request.

We have the same required parameters firstname/lastname/loginid and the same exploit, just replace them with Admin account data and send the request.

What are the results? The admin account was deleted 😈

Weakness points

1. At the change password function, it MUST ask me for the old password and if I forget it, it should ask me to contact the system administrator.

2. There’s no CSRF token attached with the user session to protect the system from performing the same attack using CSRF [I have tried it and successed]

3. To delete an account, it MUST ask the user to enter his password or any security question

Thanks for reading <3 Stay in touch

LinkedIn | GitHub | Twitter