IntelliChoice eFORCE Software Suite v2.5.9 Username Enumeration

Title: IntelliChoice eFORCE Software Suite v2.5.9 Username Enumeration
Advisory ID: ZSL-2021-5658
Type: Local/Remote
Impact: Exposure of Sensitive Information
Risk: (2/5)
Release Date: 28.07.2021
Summary
IntelliChoice is a United States software company that was founded in 2003, and offers a software title called eFORCE Software Suite. eFORCE Software Suite is law enforcement software, and includes features such as case management, court management, crime scene management, criminal database, dispatching, evidence management, field reporting, scheduling, court management integration, certification management, and incident mapping. With regards to system requirements, eFORCE Software Suite is available as SaaS, Windows, iPhone, and iPad software.
Description
The weakness is caused due to the login script and how it verifies provided credentials. Attacker can use this weakness to enumerate valid users on the affected application via 'ctl00$MainContent$UserName' POST parameter.
Vendor
IntelliChoice, Inc. - https://www.eforcesoftware.com
Affected Version
2.5.9.6
2.5.9.5
2.5.9.3
2.5.9.2
2.5.9.1
2.5.8.0
2.5.7.20
2.5.7.18
2.5.6.18
2.5.4.6
2.5.3.11
Tested On
Microsoft-IIS/10.0
Microsoft-IIS/8.5
ASP.NET/4.0.30319
Vendor Status
[03.05.2021] Vulnerability discovered.
[15.07.2021] Vendor contacted.
[27.07.2021] No response from the vendor.
[28.07.2021] Public security advisory released.
PoC
eforce_usrenum.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/50164
[2] https://packetstormsecurity.com/files/163705/
[3] https://cxsecurity.com/issue/WLB-2021070171
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/206479
Changelog
[28.07.2021] - Initial release
[30.07.2021] - Added reference [1] and [2]
[02.08.2021] - Added reference [3] and [4]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk