Chinacache new posture arbitrary Password Reset

Chinacache new posture arbitrary Password Reset

Before the white hat submitted the Chinese talent through any password reset wooyun-2015-0117458, because the number of digits of the verification code is short and do not limit the number of times. The vendor quickly fixed the issue. This is awesome, but today I found another position that can be reset. I hope the vendor can adjust the entire Password Reset System.

1. Normal password retrieval process:

Register your account with your mobile phone number. After successful registration, click forgot password:

Http://passport.chinahr.com/pc/findPwd

Enter your mobile phone number, verification code, and click "retrieve password 』:
 

In step 2, the mobile phone receives the verification code, and we enter the verification code:
 

Click "Reset Password" to go to step 3. You can enter the new password:

Enter the password you want to change and click OK. The entire normal Password Reset process is complete:
 

2. Reset any password

The above is a normal process. The key is to enter the mobile phone verification code in the second step. If this step is bypassed, any password can be reset. Previously, the white hat mentioned brute-force cracking and the vendor fixed the issue by limiting the number of times. We will not test it here.

The method used here is to modify the return value for bypassing. We can capture the packet to see the request and response in step 2 at that time:
 

 

This part of the returned value is a key point. Now we take the account again for testing. We also go to step 2 and use the Incorrect verification code. The returned value is as follows:

We found that the normal return value is to encrypt the reset mobile phone and decrypt and compare the front-end. Therefore, the normal return values for each mobile phone number are different. Fortunately, we can capture this encryption value after the first request is successful:
 

We can easily bypass Step 2 by replacing the return value.

We use the tuhao for Demonstration: 13888888888

In the first step, enter the local ID and image verification code to go to the next step. Capture the packets and obtain the aforementioned encrypted string:
 

Click Next, capture the packet, modify the return header using the encrypted string you just obtained, enter the 4-digit verification code at will, and click "Reset Password" to go to step 3. Then, we change the password to 123456, click OK to enter the account of the local tyrants:

Detailed information of the local tyrants, there are multiple mobile phone numbers:
 

It is estimated that we are also suffering from harassment. We have to do this. Ms. Wang, I am sorry for you. Please forgive me!

Solution:

1. During the password reset process, you must verify the password on the server and add a dual verification of the number and verification code.

2. It is best to increase the length of the verification code to 6 characters.