Pages

Thursday, July 7, 2011

ServiceDesk security or rate penetration testing

In penetration testing, Positive Research experts meet enterprise web-based solutions located inside a corporate network or on its perimeter. Applications like ServiceDesk, ERP, billing systems, etc. are examples of similar systems. The tendency «all requests via port 80» usually leads to situations when applications created for internal networks are published in the Internet.

Today we pay special attention to ManageEngine ServiceDesk user support application, that was first noted by PT experts in November, 2010 in penetration testing in a big company. ManageEngine ServiceDesk is commercial software based on Java, and aims to automate technical support service functions according to ITIL/ITSM recommendations.

We identified the solution on the network front-end, and tried to find details about associated vulnerabilities in public resources. But we found nothing. To decrease impact to testing network, we used vendor’s evaluation version for further research.

We installed the system on our testing machine and detected several vulnerabilities via fazzing and manual analysis (http://www.ptsecurity.ru/advisory1.aspx):
- Arbitrary command execution in ManageEngine ServiceDesk Plus 8.0.0
- Information disclosure in ManageEngine ServiceDesk Plus 8.0.0
- Root path traversal in ManageEngine ServiceDesk Plus 8.0.0


According to PT disclosure policy, we prepared and sent appropriate messages to the vendor. As one of the vulnerabilities was described 23th June, 2011 on popular resource exploit-db.com (ManageEngine Service Desk Plus 8.0 Directory Traversal Vulnerability), Positive Research Team published its details.

The vulnerability is found in FileDownload.jsp script and allows users to load files from remote servers. The vulnerability allows attackers to conduct path traversal attack and get contents of the file located outside ServiceDesk web directory. The vulnerability is especially dangerous, as unauthorized users have access to FileDownload.jsp script functions. Distribution kits for different OSes are vulnerable. In OS Windows, an attacker can get any file from the system logical disk. For Unix-like systems, an attacker can get any file if the user who started the application has rights to read.

The vulnerability was used in penetration testing to read ManageEngine ServiceDesk backup files.

As any enterprise-level application, ManageEngine ServiceDesk has backup feature (according to ITIL principles;)).

According to the system’s purpose, it’s easy to understand that backup copies include a lot of sensitive data such as identifiers and user passwords for LDAP/Active Directory/network de vices, SNMP Community Strings, etc.

We analyze backup architecture implemented in ManageEngine ServiceDesk and found out that backup files are stored in /backup/ folder and have names like 'database_DD_MM_YYYY_HH_MM.data' for data backup copy and its content, and fullbackup_DD_MM_YYYY_HH_MM.data for backup copy with user files.

The simplest way to conduct the attack is bruteforce, but we chose another method. More efficient method – ManageEngine system log analysis was chosen to save electric power (yes, we are Greene peace followers). We quickly find details about backup procedure in the received files. Below you can find exploit that allows you to conduct the attack.

Exploit for ServiceDesk v *.* OS: Windows



The most valuable data such as Active Directory user passwords, stores encrypted in ManageEngine ServiceDesk application database. Of course, encryption is reversible. It is named reversible as there is a method to get source data. Below you can find code that can be used to restore passwords.

ServiceDesk Password Encoder

So, the privileged user account is used for data synchronization between ManageEngine ServiceDesk and Active Directory (data is stored in tables domainlogininfo (domain user login) and passwordinfo (domain user password)), application web interface is available from the Internet, penetration testing lasts no more than 5 minutes as ManageEngine ServiceDesk application is detected.

The Directory Traversal Vulnerability is fixed in ManageEngine ServiceDesk 8_0_0_SP-0_12_0 that is available on the vendor’s site (http://www.manageengine.com/products/service-desk/). Vendor plans to fix other vulnerabilities soon.

4 comments: