U.S. Dept Of Defense: Leaks of username and password leads to CVE-2018-18862 exploitation

Hi DoD Team,
I hope you are doing good today.

This is a follow-up from my November 15th 2022 report number #1775217 (https://hackerone.com/reports/1775217)
In all respect and to be clear, I don’t want to push too hard or be annoying on this and feel free to tell me if you don’t want or need to take action on this.

Since my report #1775217 was left un-answered I felt I should open a new one since I feel this is serious matter.

>>Recap of my last report :
>>On November 15th 2022: I opened a report describing how I’ve found a set of credential publicly exposed from an ITSM system indexed in search engines.
>> On November 16th 2022 :I had a reply telling me that the credentials were valid but didn’t have any rights on the system so there was no impact.
>> On November 17th2022 : I had found another set of credentials exposed and I was able to successfully exploit CVE-2018-18862 from this.
>>This was left un-answered.
>>On February 12th 2023: The website was down and I left my report as such.
>>See : https://hackerone.com/reports/1775217 for all the details.

Today, to my surprise and while doing other searches I stumbled accross this website again.
I would like to reiterate the following :

>Today, May 16th 2023, the set of Credentials I had found at the time are still working :
>>Username: ████
>>Password: ███

>>Username: ████████
>>Password: ██████████

See screenshot 3, taken on May 16th 2023, the “█████████” credentials are still exposed.
█████

Here is the login page : https://████████/███████/shared/login.jsp

Today, May 16th 2023, I can still successfully exploit CVE-2018-18862 - Incorrect access control.

I decided to re-open the report for the following reasons :
-I thought about it a long time, since on my prior report I didn’t have any reply after the successful CVE exploitation and the new set of credentials found I judged it was worth having a 2nd look.
-Also, I thought the system was down but today I found out it was not.

In all good faith.
Best regards.

~pll25

References

https://nvd.nist.gov/vuln/detail/CVE-2018-18862

Impact

-An attacker can access the system with the rights of these users.
-I was able to list Roles.
-I am potentially able to create/read reports and probably do more but I stopped there because the POC is already proven.
-2 sets of credentials including valid username and passwords were leaked from this system on November 15th 2022.

System Host(s)

https://███████

Affected Product(s) and Version(s)

BMC Remedy version unknown

CVE Numbers

CVE-2018-18862 - (CVSS V3.0 Score : 8.8 (HIGH), Vector: /AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Steps to Reproduce

Step 1:
Let’s say we use the account “██████████”.
Login with the username and password on this page : https://██████/███/shared/login.jsp
(ScreenShot 1 from November 15th describes how I was able to obtain it).
███

Step 2 :
You should land on an Error web page telling that the file doesn’t exist.
The landing URL should look like this :
>>███████/█████/forms/arpcp/arpc:web:retirementsapplicationsubmission/default+administrator+view/$external%20report%20server%20url_glb$retirementapplication&rs:command=render&preportinstanceid=$536871212$&rs:format=pdf

Step 3 :
Here we can exploit CVE-2018-18862 : replace all the text after : /forms/arpc/ (the part of the URL in bold above) with :
>>/User/Default+Admin+View1/

Step 4:
You will now have access to the whole Remedy ITSM system.
From there you have successfully exploited CVE-2018-18862.

I was able to list Roles.
I am potentially able to create/read reports and probably do more but I stopped there because the POC is already proven.

Suggested Mitigation/Remediation Actions

• Change affected passwords.
• MIgrate the system to a new un-affected version.
• Apply the vendor work-arounds if possible.