Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-7378 PoC — CRIXP OpenCRX Unverified Password Change

Source
https://github.com/loganpkinfosec/CVE-2020-7378
Associated Vulnerability
Title:CRIXP OpenCRX Unverified Password Change (CVE-2020-7378)
Description:CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.
Readme
## CVE-2020-7378 – OpenCRX Predictable Password Reset Token and XXE Exploit

This repository contains a combined proof-of-concept (PoC) exploit for **CVE-2020-7378**, a critical vulnerability in **OpenCRX** (versions up to and including 5.0-20200717). The exploit chains two core issues in the application:

1. A **predictable password reset token** vulnerability due to reliance on `java.util.Random`, which allows attackers to generate valid tokens based on a millisecond timestamp seed.
2. A **blind XML External Entity (XXE)** vulnerability in the `RestServlet` endpoint that permits remote file disclosure from the server’s filesystem.

The combination of these two flaws enables an unauthenticated attacker to gain administrative access and exfiltrate sensitive server-side files.

---

### Vulnerability Details

* **CVE ID**: [CVE-2020-7378](https://nvd.nist.gov/vuln/detail/CVE-2020-7378)
* **Affected Product**: OpenCRX ≤ 5.0-20200717
* **Attack Surface**: Publicly exposed management and REST interfaces
* **Root Causes**:

  * Insecure pseudo-random token generation during password resets
  * Unsafe XML parsing in REST API endpoints
* **Impact**:

  * Unauthorized password resets for arbitrary users (including admin)
  * Arbitrary file read via XXE injection
* **CVSS**: 9.1 (Critical)

---

### Included Components

* `opencrx-exploit.py`: Full-chain exploit script that performs both token prediction and XXE file read.
* `OpenCRXToken.java`: Java class that emulates the token generation logic using a brute-force seed range based on request timing.







### Usage

1. Compile the token generator:

   ```bash
   javac OpenCRXToken.java
   ```

2. Run the exploit:

   ```bash
   python3 opencrx-exploit.py <target_user_id>
   ```

This will:

* Generate and test valid password reset tokens based on the timing window.
* Reset the target user’s password.
* Trigger an XXE payload via the REST API to read a sensitive file from the server.
File Snapshot

 [4.0K]  /data/pocs/c7648a99e1ce8c2e6afdd85ccf655173b583678c
├── [2.5K]  opencrx-reset-spray.py
├── [ 732]  OpenCRXToken.java
└── [1.9K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →