Software AD Self Password Reset v3.0 by Dovestones Software contains a critical vulnerability in the password change functionality, that allows unauthenticated users to change the password of arbitrary accounts.
The vendor has been working with customers to upgrade them to a fixed version.
/Reset/ChangePass function doesn’t validate that the validation questions have been answered, or validate that the account in question is enrolled. This allows an attacker to reset any account that the service account is able to reset, even if they aren’t enrolled.
PasswordReset.Controllers.ResetController.ChangePasswordIndex() method in
PasswordReset.dll fails to properly validate the user, and performs the password reset on arbitrary accounts.
POST /PasswordReset/Reset/ChangePass HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Sat, 17 Oct 2015 03:13:31 GMT
<form action="/PasswordReset/Reset?Length=5" data-ajax="true" data-ajax-failure="HandleError" data-ajax-method="POST" data-ajax-mode="replace" data-ajax-update="#content" data-ajax-url="/PasswordReset/Reset/Confirm" id="pr-reset-success" method="post"> <div class="field-wrapper">
<label>Congratulations! Your password has been reset.</label>
<button type="submit" name="command">Finish</button>
VU#757840 – Dovestones Software AD Self Password Reset fails to properly restrict password reset request to authorized users
Dovestones Software AD Self Password Reset fails to properly validate users, which enables an unauthenticated attacker to reset passwords for arbitrary accounts.
CWE-284: Improper Access Control – CVE-2015-8267
Dovestones Software AD Self Password Reset contains a vulnerable method PasswordReset.Controllers.ResetController.ChangePasswordIndex() in PasswordReset.dll that fails to validate the requesting user. An attacker can reset passwords for arbitrary accounts by manipulating web application requests that call the vulnerable method.
A remote, unauthenticated attacker can reset passwords for arbitrary accounts where usernames are known or can be guessed.
Apply an update
The vendor has worked directly with customers to apply updates for this and other vulnerabilities. Users who have not received an update are encouraged to contact the vendor.
Thanks to Adam Caudill for reporting this vulnerability.
This document was written by Joel Land.
Special thanks to Dovestones for their quick response, and US CERT for their help in coordinating disclosure.