Headline
CVE-2022-37163: CVE-2022-37857, CVE-2022-37163, CVE-2022-37164 Hardcoded Credentials/Weak Password Policies
Bminusl IHateToBudget v1.5.7 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.
CVE-2022-37857
Affected product and version: Hauk version 1.6.1
Problem Type: Weak Password Policy and hardcoded credentials
Description: Hauk v1.6.1 requires a hardcoded password which by default is blank. This hardcoded password is hashed but stored within the config.php file server-side as well as in clear-text on the android client device by default.
CVE-2022-37163
Affected Product and version: IHateToBudget version 1.5.7
Problem Type: Weak Password Policy and Use of Password Hash with Insufficient Computational Effort
Description: IHateToBudget v1.5.7 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.
CVE-2022-37164
Affected product and version: OnTrack version 3.4
Problem Type: Weak Password Policy and Use of Password Hash with Insufficient Computational Effort
Description: OnTrack v3.4 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.
So I ran into an interesting issue with a self-hosted location sharing service that includes a android client available on F-Droid and the Play Store.
I reached out to the developer talking about the Janus vulnerability although I think that his response was totally legitimate. Which you can read about HERE.
If you’re interested in the Janus vulnerability, check more information about it HERE!
Regardless what I decided to pursue and report was the fact that credentials are hardcoded HERE, although of course you need to replace config-sample.php to config.php.
So the developer was professional and didn’t have real push back but their choice was to leave the password requirements/hardcoded credential requirement to the administrator.
Even though I completely understand it, I wanted to let those that rely on this server/client know.
That is where CVE-2022-37857 comes from!
Following that path, the OnTrack application found HERE was also vulnerable and assigned CVE-2022-37164
Lastly the same issue was found in the IHateToBudget application found HERE and was assigned CVE-2022-37163
Hope its helpful!
END TRANSMISSION
Published August 7, 2022August 26, 2022
Post navigation
Related news
Inoda OnTrack v3.4 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.
bilde2910 Hauk v1.6.1 requires a hardcoded password which by default is blank. This hardcoded password is hashed but stored within the config.php file server-side as well as in clear-text on the android client device by default.