Skip to content

sahiloj/CVE-2023-33730

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
1.png
1.png
 
 
2.png
2.png
 
 
3.png
3.png
 
 
4.png
4.png
 
 
5.png
5.png
 
 
CVE-2023-33730.md
CVE-2023-33730.md
 
 
README.md
README.md
 
 

Repository files navigation

CVE-2023-33730 — eScan Management Console Privilege Escalation

Severity: Critical
CVE ID: CVE-2023-33730
Disclosed: 30 May 2023
Author: Sahil Ojha

Table of Contents

Overview

eScan Management Console is a centralised security management solution developed by Microworld Technologies. It allows enterprise IT administrators to deploy, manage, and monitor eScan antivirus/endpoint-protection agents across an entire network from a single web-based console.

Version 14.0.1400.2281 of this console contains a critical Privilege Escalation vulnerability. Due to a missing authorization check in the GetUserCurrentPwd API endpoint, any authenticated user — regardless of their privilege level — can retrieve the plaintext passwords of every account registered in the console, including administrator accounts. This immediately enables full takeover of the management console and, by extension, all managed endpoints on the network.

Vulnerability Details

Field Value
CVE ID CVE-2023-33730
Product Microworld Technologies eScan Management Console
Vulnerable Version 14.0.1400.2281
Vulnerability Type Privilege Escalation / Broken Object-Level Authorization (BOLA / IDOR)
Attack Vector Network (authenticated low-privileged user)
Authentication Required (any valid user account)
CVSS Score Critical
Disclosure Date 30 May 2023
Researcher Sahil Ojha
Vendor Homepage https://www.escanav.com
Affected Software https://cl.escanav.com/ewconsole.dll
Tested On Windows

Impact

This vulnerability has a critical real-world impact:

  • Horizontal Privilege Escalation — A normal (low-privileged) user can retrieve the plaintext passwords of all other normal users, enabling account takeover across the same privilege tier.
  • Vertical Privilege Escalation — By manipulating a single URL parameter (UsrId), the same low-privileged user can retrieve the plaintext password of the administrator account, granting full administrative control over the eScan Management Console.
  • Mass Credential Exposure — All user passwords are stored and returned in plaintext, meaning a single API call can enumerate credentials for every account in the system simultaneously.
  • Full Network Compromise — Because the eScan Management Console controls antivirus/endpoint agents across the entire enterprise network, administrative access to the console may allow an attacker to disable endpoint protection, deploy malicious software, or pivot to other systems on the network.

Technical Analysis

The vulnerability resides in the GetUserCurrentPwd function exposed by the eScan Management Console web interface. This endpoint is intended to allow a user to retrieve their own password for profile-editing purposes. However, the implementation suffers from a Broken Object-Level Authorization (BOLA / IDOR) flaw:

  1. No ownership check — The endpoint accepts a UsrId parameter but does not verify that the requesting user owns the account corresponding to that ID.
  2. No privilege check — Any authenticated session, regardless of role, is permitted to invoke this endpoint for any UsrId value.
  3. Plaintext password storage / response — Passwords are returned in plaintext in the HTTP response body, bypassing any encryption or hashing protection that may otherwise exist.

Vulnerable request pattern:

GET /eScanWebConsole/webpages/...?action=GetUserCurrentPwd&UsrId=<TARGET_USER_ID> HTTP/1.1
Host: <escan-console-host>
Cookie: <valid-session-cookie>

By iterating over sequential UsrId values, an attacker can dump the credentials of every user in the system in a single automated sweep.

Proof of Concept

Note: The following steps demonstrate the vulnerability in a controlled lab environment. Do not attempt to reproduce this against any system you do not own or have explicit written permission to test.

Step 1 — Create a low-privileged user

Log in to the eScan Management Console using valid administrator credentials and create a new user account with normal (low) privilege level access.

Step 1 – Create normal user

Step 2 — Log in as the low-privileged user

Log out of the administrator session and log in using the credentials of the newly created normal user.

Step 2 – Log in as normal user

Step 3 — Capture the profile-edit GET request

While logged in as the normal user, navigate to the Edit Profile / Change Password section. Intercept the outgoing HTTP traffic using Burp Suite (or a comparable HTTP proxy). Identify and capture the GetUserCurrentPwd GET request as shown below.

Step 3 – Capture GET request in Burp Suite

Step 4 — Forward the request and observe the plaintext password

Send the captured request to Burp Suite Repeater and forward it. Observe that the server response contains the plaintext password of the currently authenticated normal user — no administrator privileges required to retrieve it.

Step 4 – Plaintext password returned in response

Step 5 — Escalate to administrator by modifying UsrId

In Burp Suite Repeater, modify the UsrId parameter to the ID of the administrator account (or any other account). Forward the modified request. The server responds with the administrator's plaintext password, as well as the passwords of any other user whose UsrId is supplied.

Step 5 – Administrator password exposed via IDOR

Step 6 — Full account takeover

Use the retrieved administrator password to log in to the console as the administrator, gaining full administrative privileges over the eScan Management Console and all managed endpoints on the network.

Remediation

Microworld Technologies should apply the following mitigations:

  1. Enforce object-level authorization — Before returning any password (or any sensitive field), the server must verify that the UsrId in the request matches the session owner's ID. Requests for other users' data must be rejected with HTTP 403 Forbidden.
  2. Never return plaintext passwords — Passwords must be hashed before storage (e.g., using bcrypt, Argon2) and must never be returned to the client in any form. If a "current password" confirmation is needed, require the user to re-enter the password and validate its hash server-side.
  3. Implement proper Role-Based Access Control (RBAC) — Sensitive administrative API functions should only be accessible to sessions with the appropriate privilege level.
  4. Apply rate-limiting and anomaly detection — Limit the rate at which the GetUserCurrentPwd endpoint can be called per session, and alert on enumeration-style access patterns.
  5. Upgrade to the latest version — Users should upgrade eScan Management Console to the latest available release that addresses this vulnerability, as advised by Microworld Technologies.

References

Disclaimer

This repository and its contents are provided strictly for educational and research purposes. The vulnerability details and proof-of-concept steps are disclosed in accordance with responsible disclosure principles to help defenders understand and remediate the issue.

Do not use this information to attack, compromise, or gain unauthorized access to any system. Unauthorized testing against systems you do not own or have explicit written permission to test is illegal and unethical.

The author and contributors assume no liability for any misuse of the information contained in this repository.

About

eScan Management Console version 14.0.1400.2281 contains privilege escalation via `GetUserCurrentPwd` function lets attackers retrieve any user's password in plain text.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors