# CVE-2022-44022

## <mark style="color:yellow;">CVE Detail</mark>

PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts.

<table><thead><tr><th width="111">Product</th><th width="175">CVE</th><th width="163">Owner</th><th width="175">CVSSv3 Score</th><th>CWE</th></tr></thead><tbody><tr><td><a href="https://github.com/pwndoc/pwndoc/issues/381">pwndoc</a></td><td><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-44022">CVE-2022-44022</a></td><td><a href="https://nstsec.com">Lorenzo Anastasi</a></td><td><mark style="background-color:orange;"><strong>5.3 Medium</strong></mark></td><td><a href="https://cwe.mitre.org/data/definitions/307.html">CWE-307</a></td></tr></tbody></table>

## <mark style="color:yellow;">Exploitation Steps</mark>

It is possible to enumerate users registered in PwnDoc (tested on 0.5.3 - 2022-07-19 and previous versions) observing the web server response timing.\
For example, let's suppose these users were registered on PwnDoc:

<figure><img src="https://user-images.githubusercontent.com/43656486/194424548-0684d566-f28b-40b2-ab9c-cb3b11bf0173.jpg" alt=""><figcaption></figcaption></figure>

By performing a brute force dictionary attack, a defined list of users can be provided via login POST request to detect the server's response time.

<figure><img src="https://user-images.githubusercontent.com/43656486/194425746-0642cf93-973c-40ca-900b-a1eac7c9ae6c.png" alt=""><figcaption></figcaption></figure>

All the valid users can be discovered by a potential attacker checking if the response time to the login request is long. For not-existing users we can see a shorter response time.

The attack success depends higly on the stability of the server and the Internet connection between hosts. In any case, in order to apply a remediation, it is advisable to add a timing delay to balance the response timing for each login request.