Security
Headlines
HeadlinesLatestCVEs

Headline

Password theft bug chain patched in Passwordstate credential manager

Flaws could be combined to grab passwords in cleartext

PortSwigger
#xss#vulnerability#ios#pdf#hard_coded_credentials#auth

Charlie Osborne 21 December 2022 at 16:16 UTC

Flaws could be combined to grab passwords in cleartext

Vulnerabilities in enterprise password manager Passwordstate that could be combined to exfiltrate stored credentials have been patched.

Developed by Australian vendor Click Studios, Passwordstate is an on-premise suite comrpising role-based administration and access control, sensitive information sharing, AES data encryption, and browser extension capabilities. The software has approximately 29,000 users.

Passwordstate was subject to scrutiny by Swiss security consultancy modzero AG following a customer request to check the password manager’s security.

Modzero researchers Constantin Muller, Jan Benninger, and Pascal Zenker duly conducted an audit of Passwordstate and found a range of security issues, as documented in the team’s disclosure report (PDF).

RECOMMENDED Becoming a penetration tester: ‘Mr hacking’ John Jackson on the virtue of ‘endless curiosity’

They included CVE-2022-3875, a high severity API authentication bypass (CVSS 7.3); CVE-2022-3876 (CVSS 4.3), where UpdatePassword file manipulation leads to authorization bypass; and CVE-2022-3877 (CVSS 3.5), a cross-site scripting (XSS) flaw in the user interface.

Researchers also found another XSS, the use of hard-coded credentials for APIs, insufficient protection for password lists, and potential exposure of passwords in the browser extension.

Attack chain

A potential attack chain would look like this: forge an API token using a valid username, add malicious password entries with XSS payloads in public and private password lists, wait until an administrator unwittingly opens a password entry, secure a reverse shell, and then pull and dump passwords stored in the Passwordstate instance.

“Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application,” the researchers say.

“The individual vulnerabilities can be chained to gain a shell on the Passwordstate host system and dump all stored passwords in cleartext – starting with nothing more than a valid username!”

According to modzero, Click Studios was “responsive” throughout the disclosure process and quick to triage and patch the researchers’ findings, resulting in Passwordstate version 9.6 (9653).

“Password safety and therefore password management solutions are the foundation on which an organization’s security infrastructure is built on,” modzero commented. "The uncovered findings show the incredible importance of ongoing security audits for critical assets and red teaming engagements within organizations.”

The Daily Swig has reached out to Click Studios and we will update if and when when we hear back.

RELATED Mastodon users vulnerable to password-stealing attacks

Related news

CVE-2023-43295: Security - Click Studios

Cross Site Request Forgery vulnerability in Click Studios (SA) Pty Ltd Passwordstate v.Build 9785 and before allows a local attacker to execute arbitrary code via a crafted request.

Critical Security Flaw Reported in Passwordstate Enterprise Password Manager

Multiple high-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords. "Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within

CVE-2022-3877

A vulnerability, which was classified as problematic, was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. Affected is an unknown function of the component URL Field Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. VDB-216246 is the identifier assigned to this vulnerability.

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig