Sangfor EDR - Authentication Bypass

What is the "Sangfor EDR - Authentication Bypass?"

The "Sangfor EDR - Authentication Bypass" module is designed to detect an authentication bypass vulnerability in the Sangfor EDR software. This vulnerability allows an attacker to gain unauthorized access to the system with admin privileges. The severity of this vulnerability is classified as high.

This module was authored by princechaddha.

Impact

If successfully exploited, this authentication bypass vulnerability in Sangfor EDR can lead to unauthorized access to the system with admin privileges. This can result in the compromise of sensitive data, unauthorized changes to system configurations, and potential further exploitation of the affected system.

How the module works?

The "Sangfor EDR - Authentication Bypass" module works by sending an HTTP GET request to the login page of the Sangfor EDR software. It then applies a set of matching conditions to determine if the authentication bypass vulnerability is present.

One of the matching conditions checks if the response body contains the string "/download/edr_installer_". Additionally, it checks if the response headers do not contain the string "Set-Cookie=" and if the response headers contain the string "Set-Cookie=\"\"". Finally, it verifies if the response status code is 302.

If all the matching conditions are met, the module reports the vulnerability, indicating the presence of the authentication bypass vulnerability in the Sangfor EDR software.