CVE-2022-37857, CVE-2022-37163, CVE-2022-37164 Hardcoded Credentials/Weak Password Policies

Android Hacking, CVE, Hacking Android, Mobile Penetration Testing, Pentesting Android
  • CVE-2022-37857
  • Affected product and version: Hauk version 1.6.1
  • Problem Type: Weak Password Policy and hardcoded credentials
  • Description: Hauk v1.6.1 requires a hardcoded password which by default is blank. This hardcoded password is hashed but stored within the config.php file server-side as well as in clear-text on the android client device by default.
  • CVE-2022-37163
  • Affected Product and version: IHateToBudget version 1.5.7
  • Problem Type: Weak Password Policy and Use of Password Hash with Insufficient Computational Effort
  • Description: IHateToBudget v1.5.7 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.
  • CVE-2022-37164
  • Affected product and version: OnTrack version 3.4
  • Problem Type: Weak Password Policy and Use of Password Hash with Insufficient Computational Effort
  • Description: OnTrack v3.4 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.

So I ran into an interesting issue with a self-hosted location sharing service that includes a android client available on F-Droid and the Play Store.

I reached out to the developer talking about the Janus vulnerability although I think that his response was totally legitimate. Which you can read about HERE.

If you’re interested in the Janus vulnerability, check more information about it HERE!

Regardless what I decided to pursue and report was the fact that credentials are hardcoded HERE, although of course you need to replace config-sample.php to config.php.

So the developer was professional and didn’t have real push back but their choice was to leave the password requirements/hardcoded credential requirement to the administrator.

Even though I completely understand it, I wanted to let those that rely on this server/client know.

That is where CVE-2022-37857 comes from!

Following that path, the OnTrack application found HERE was also vulnerable and assigned CVE-2022-37164

Lastly the same issue was found in the IHateToBudget application found HERE and was assigned CVE-2022-37163

Hope its helpful!

END TRANSMISSION

Published

Leave a Reply