CVE-2023-36082
Last updated
Last updated
unauthenticated access to LDAP and SMTP credentials in GatesAIr Flexiva FM Transmitter/Exiter Fax 150W
Discoverer: Eslam Kamal (Strik3r)
Vendor of Product: GatesAIr
Affected Product: FM Transmitter/Exciter v.FAX 150W
The dangers of leaking sensitive user or business data are fairly obvious, but disclosing technical information can sometimes be just as serious. Although some of this information will be of limited use, it can potentially be a starting point for exposing an additional attack surface, which may contain other interesting vulnerabilities.
IoT metrics can be used against the IoT device itself. The metrics indicate some internal hardware information that shouldn't be exposed to an unauthorized actor; in our case, this information was exposed to the anonymous user. Anonymous users without any cookies or privileges can access the information without being prohibited or denied.
Certain internal information about the IoT device will be exposed if any unauthorized or unauthenticated user navigates to /json as you can see in the image below:
As you can see LDAP creds are being leaked on this path to unauthorized actors.
An LDAP password is a crucial piece of information required to access and authenticate with an LDAP server. An attacker who obtains an LDAP password can potentially cause significant damage to an organization. Here are some of the consequences of attackers obtaining an LDAP password:
Unrestricted Access: Attackers can use leaked credentials to gain unrestricted access to sensitive data, applications, and systems within the organization.
Data Breach: Attackers can use the obtained LDAP password to access the organization's network and steal sensitive data, including confidential customer information, financial data, and intellectual property.
Malicious Activities: Attackers can use leaked credentials to carry out malicious activities such as installing malware, deleting files, or altering data within the organization's network.
Also, there is some critical information about the SMTP server including clear-text credentials as you can see below:
By accessing the SMTP server with the leaked credentials, attackers might use this information to launch a larger attack. they could potentially use them to send malicious emails, such as phishing emails, or to send spam. They could also use the credentials to gain access to confidential emails sent through the server.
