Summary

Name: Privilege Escalation via “Forgot your password” functionality

Product: EMSigner

Affected versions: EMSigner version 2.8.7

Affected Component: Forgot your password function. EndPoint /Areas/Login/PasswordRecovery and Web Parameter “Email”

Attack Type: Remote

Impact: Escalation of Privileges

CVSSv3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSSv3.1 Base Score: 8.8

CVE ID(s): CVE-2023-43902

Description

Incorrect access control in the Forgot Your Password function of EMSigner v2.8.7 allows unauthenticated attackers to access accounts of all registered users, including those with administrator privileges via a crafted password reset token.

Vulnerability

The “Privilege Escalation via ‘Forgot your Password’ functionality” vulnerability arises due to insufficient access controls within the password reset process of the application. Specifically, the application exposes an activity related to password reset and fails to adequately validate and enforce access privileges, allowing low-privileged users to manipulate certain parameters to gain unauthorized access and potentially reset the passwords of accounts with higher privileges, including administrator accounts.

Attack Vectors

The vulnerability can be exploited through an “Authentication Bypass” attack vector. To exploit this vulnerability, an attacker with low-privileged access can manipulate certain parameters in the password reset token generated by the “Forgot your password” functionality. By crafting a malicious password reset token, the attacker can establish a new password for accounts with administrator privileges. This leads to unauthorized access to higher-privileged accounts and potential exposure of sensitive information.

Explotation

During a web application assessment, we tested an app using emSigner — a document automation tool for digital signatures that removes paper from workflows.

Below we summarize the vulnerability and the steps to exploit it.

A low-privileged user on the portal visits the “Forgot your password” URL (see figure 1) and triggers a reset using the test account je**.***.********@gmail.com.

Figure 1 Request forgot Password

After filling out the form and completing the process, the attacker receives a password reset linking the email je**.***.********@gmail.com, which allows them to set a new password for your  account as shown in figure 2 :

Figure 2 Password Reset Link

Consultants opened the PasswordRecovery form (Fig. 3). After triggering “forgot password” for the target ([email protected]), they intercepted the request and modified the email parameter to the attacker’s address, enabling a password reset for the target (see Fig. 4).

Figure 3 Password Reset Link

Figure 4 Web Parameter Manipulation

The attacker can now log in into the application as [email protected] user with the new credentials set during the password recovery process, gaining unauthorized access to their account and read potentially sensitive information as shown in figure 5.

Remediation

An updated version of EMSigner is available at the vendor page.

Credits

The vulnerability was discovered by Jean Paul Granados from SecPro’s Company (https://secpro.co/ – https://secpro.llc/).

References

Vendor page https://www.emsigner.com/

Timeline

2023-02-27

Vulnerability discovered.

2023-05-08

Vendor contacted.

2023-05-24

Vendor replied acknowledging the report.

2023-09-01

Vulnerability patched.

2023-10-27

Public Disclosure.