Sangfor Operation and Maintenance Security Management System Unauthenticated Arbitrary Password Reset Vulnerability

A critical vulnerability allowing unauthenticated arbitrary password resets has been identified in Sangfor's Operation and Maintenance Security Management System (OSM) versions prior to 3.0.12. The issue resides in the 'edit_pwd_mall' function within the '/fort/login/edit_pwd_mall' endpoint. The vulnerability arises because the backend logic fails to validate the current session or the original password when the 'isflag' parameter is set to 'true'. This oversight enables an attacker to reset the password of any user, including the administrator, by knowing the username.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, potentially leading to unauthorized access to user accounts, including administrative accounts.

Reproduction

To exploit this vulnerability, send a POST request to the '/fort/login/edit_pwd_mall' endpoint with the 'isflag' parameter set to 'true', along with the 'account' parameter specifying the username of the account to be targeted. The 'newpwd' and 'repwd' parameters should be filled with the desired new password, after encrypting it using a custom encryption method that reverses the string, skips certain characters, and base64 encodes the result.

Remediation

Disable the 'edit_pwd_mall' endpoint if it is not needed. If the endpoint must remain active, implement IP whitelisting, require authentication for administrative actions, and consolidate the password change logic to prevent bypassing session or password verification.