Menu

Search for hundreds of thousands of exploits

"ManageEngine ServiceDesk Plus 9.0 - Authentication Bypass"

Author

Exploit author

ByteM3

Platform

Exploit platform

java

Release date

Exploit published date

2017-05-19

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
Title: ManageEngine ServiceDesk Plus Application Compromise
Date: 19 May 2017
Researcher: Steven Lackey (ByteM3)
Product: ServiceDesk Plus (http://www.manageengine.com/)
Affected Version: 9.0 (Other versions could also be affected)
Fixed Version: Service Pack 9241  Build 9.2
Vulnerability Impact: High
Published Date:
Email: bytem3 [at] bytem3.com <http://cyberdefensetechnologies.com/>

Product Introduction
===============

ServiceDesk Plus is ITIL-ready help desk software with integrated Assetand
Project Management capabilities.

With advanced ITSM functionality and easy-to-use capability, ServiceDesk
Plus helps IT support teams deliver

world-class service to end users with reduced costs and complexity. It
comes in three editions and is available

in 29 different languages. Over 100,000 organizations, across 185
countries, trust ServiceDesk Plus to optimize

IT service desk performance and achieve high end user satisfaction.

Source: https://www.manageengine.com/products/service-desk/

Vulnerability Information
==================

Class: Backdoor
Impact: Account and Application Compromise
Remotely Exploitable: Yes
Authentication Required: Yes
User interaction required: Yes
CVE Name: N/A


Vulnerability Description
===================

A valid username can be used as both username/password to login and
compromise the application through the /mc/ directory which is the
mobile client directory. This can be achieved ONLY if Active
Directory/LDAP is being used.

This flaw exists because of the lack of password randomization in the
application version 9.0 when a user is entered into the application, thus
the application assigns the password as the username. The flaw can then be
exploited by logging into the application through the /mc directory and
then backing out of the /mc directory by deleting it from the URL thus
positioning you in the main application with the authority of the user you
logged in as. (Help locating a valid username can come from another
discovered vulnerability in this same version of software here:
https://www.exploit-db.com/exploits/35891/ - with credit to Muhammad Ahmed
Siddiqui for discovering how to enumerate usernames)


Proof-of-Concept Authenticated User
============================

An attacker can use the following URL to login to the mobile client with
any workstation:

http://server/mc/

Use the discovered username in both the username and password fields.
Ensure the Is AD Auth box is checked and click login.


Once logged in, remove /mc/ from the URL and you will be presented with
the full application and the authorities of the user you just logged in
with.


You can now continue to look for usernames inside the application until a
user with administrative privileges has been discovered and can compromise
with administrative authority. Please note, ServiceDesk Plus has the
ability to scan machines on any available network it can see, meaning,
system accounts are typically entered into the application to keep an
inventory of machines that ServiceDesk can manage. It is possible to
compromise not only the hosting machine for this application, however, the
entire network as I did on the Penetration Test where I discovered this
backdoor.


Vendor Response
=======

I have contacted the vendor and they advised they have fixed this
particular issue with a new service pack 9241, however, this insanely
vulnerability is still out there, as this scenario has not been published
as of yet, other than the vendors statement on their 9.2 Release readme
webpage (https://www.manageengine.com/products/service-desk/readme-9.2.html)
and email to me here:


FIX: PATCH *SD-61664 :* Based on Database configuration, an option to set
the LocalAuthentication password as Random or predefined, for the users
added through ActiveDirectory (AD), LDAP, Dynamic user addition, users
created via e-mail Requests has been provided. Make sure that the
notification under Admin >> Notification Rules >> Send Self-service login
details is enabled before performing the import so that LA user details
will be notified to users through email.


Timeline
=======

18-Apr-2017  Notification to Vendor
19-Apr-2017  Response from Vendor
31-Jan-2017  Vulnerability fixed by Vendor
19-May-2017  Still no clear publication on this backdoor
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-02 "Apache Flink 1.9.x - File Upload RCE (Unauthenticated)" webapps java bigger.wing
2020-10-29 "WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request" webapps java "Mohammed Althibyani"
2020-10-20 "Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution" webapps java "Jonatas Fil"
2020-10-19 "Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in" webapps java "Daniel Morris"
2020-09-09 "Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)" webapps java V1n1v131r4
2020-09-07 "ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)" webapps java Hodorsec
2020-08-10 "ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)" webapps java "Bhadresh Patel"
2020-07-26 "ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection" webapps java aldorm
2020-07-07 "Exhibitor Web UI 1.7.1 - Remote Code Execution" webapps java "Logan Sanderson"
2020-06-04 "VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution" webapps java "Tomas Melicher"
Release Date Title Type Platform Author
2017-05-19 "ManageEngine ServiceDesk Plus 9.0 - Authentication Bypass" webapps java ByteM3 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected