Integria IMS Account Takeover: Predictable MD5 Reset Hashes and Brute-Force

Here is the key information about the vulnerability from the webpage screenshot: Vulnerability Type: Account Takeover Affected Product: Integria IMS Community Edition - Product Description: Integria IMS is a PHP-based IT helpdesk management system Vulnerability Description: During the password reset process, an attacker only needs to know the username to take over any user account - Specific Issues: - Very limited MD5 hash space: For any given user, the generated MD5 hash is limited to only 100 possible values - No protection against brute-force attacks on the hash submission page Vulnerability Details: The hash generation code snippet is as follows: - The hash accepts only three inputs: - The value of - A random number between 0 and 100 - The variable (which is actually the username) - For internal attackers, after learning the organization’s username scheme, they can enumerate other users’ usernames - For external attackers, while username enumeration is also possible, the default admin account (username 'admin') enabled on Integria servers makes it a common target across Integria deployments - The random number provides minimal protection, as generating 100 MD5 hashes requires negligible computational effort - The value is actually the HTML title on the login page, visible to unauthenticated users, thus offering little defense against brute-force attacks Defense Measures Tested: - The author wrote a script to generate 100 password reset hashes for a test account and automatically submit them to the server; however, the server did not block further hash submission attempts after multiple incorrect submissions Vulnerability Fix: At the time of writing, the vulnerability had been patched and Integria deployments had been updated, so it should already be fixed; however, if an outdated Integria server is in use and the default admin account is enabled, the server may still be vulnerable to takeover Summary: The author thanks the Integria team for their prompt response and plans to release proof-of-concept code and links

Goal Reached Thanks to every supporter — we hit 100%!

Integria IMS Account Takeover: Predictable MD5 Reset Hashes and Brute-Force