Undocumented password reset and admin takeover & Cross-Site Scripting vulnerabilities

SEC Consult Vulnerability Lab Security Advisory < 20130904-0 >

=======================================================================

title: Undocumented password reset and admin takeover &

Cross-Site Scripting vulnerabilities

product: GroupLink everything HelpDesk

vulnerable version: <=10.0.3

fixed version: -

impact: Critical

homepage: www.grouplink.com

found: 2013-07-10

by: V. Paulikas, J. Greil

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

"everything HelpDesk by GroupLink was designed as an all in one solution

for any department in your organization. This solution enables departments

to track, automate, and report on incident resolution, change management,

and business processes in IT, Human Resources, Facilities Maintenance,

Development, Purchasing Departments and more."

 

www.grouplink.com

 

 

Business recommendation:

------------------------

By exploiting the undocumented password reset vulnerability, an

_unauthenticated_ attacker can gain administrative access to the affected

Helpdesk system very easily and access sensitive internal information of the

company, such as all tickets, user accounts, configuration/passwords in clear

text (e.g. database credentials), knowledge base, etc.

 

It is highly recommended not to use this software until a thorough security

review has been performed by security professionals. As a workaround, the

software should not be accessible from the Internet. Limit access only to

trusted users internally.

 

It is assumed that further critical vulnerabilities exist, as only a very

short sample test has been performed.

 

 

Vulnerability overview/description:

-----------------------------------

1) Cross-Site Scripting

 

The web application is prone to unauthenticated reflected Cross-Site Scripting

attacks. The vulnerability can be used to include HTML or JavaScript code to

the affected web page. The code is executed in the browser of users if they

visit the manipulated site.

 

 

2) Undocumented / insecure password reset function

 

The web application normally allows resetting the password of the user by

supplying the email address of the user. If a specific static, easily

guessable string is passed instead of the user email, the password of the

admin user is being reset to a default value which is publicly

known/documented.

 

After the password reset procedure an unauthenticated, anonymous attacker is

able to access the administrative panel of the HelpDesk web application with

highest access rights. Attackers then gain access to highly sensitive

information depending on the usage of the helpdesk system (internal tickets,

user database, configuration/passwords in clear text (e.g. database

credentials), knowledge base information, etc).

 

 

 

Proof of concept:

-----------------

1) Cross-Site Scripting

Cross-Site Scripting vulnerabilities can be exploited by tricking the user

into accessing a specially crafted URL. This vulnerability was identified in

scripts provided below:

/j_acegi_security_check (unauthenticated in login page)

/config/assignments (only authenticated)

 

Proof of concept URLs have been removed as the vendor did not supply any

patches.

 

 

2) Undocumented / insecure password reset function

In order to exploit the insecure password reset function it is sufficient

to supply a certain easily guessable string as the email address. This

information has been removed from the advisory, as the vendor did not supply

any patches.

 

The password of the administrative account "admin" is then set to a default

value of "admin" which can be used for login afterwards.

 

The url of the password reset function:

http[s]://www.example.com/ehelpdesk/resetPassword.aglml

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in everything HelpDesk version

10.0.3, which was the most recent version at the time of discovery.

 

 

Vendor contact timeline:

------------------------

2013-07-17: Contacting vendor through info@grouplink.net &

support@grouplink.net, asking for security contact

2013-07-17: Auto-reply of ticket system, ticket automatically closed as SPAM

2013-07-18: Requesting security contact again, via their ticket (helpdesk)

system

2013-07-24: Still no reply, sending deadline (4th September) of security

advisory release to info@grouplink.net, support@grouplink.net,

sales@grouplink.net and multiple other contact email addresses

that we automatically received from their ticket system

2013-07-24: Vendor response, accusing us of phishing/spamming

Still no security contact provided, asking again, giving deadline

for vendor response (2013-07-30)

2013-07-25: Vendor HelpDesk ticket has been set to "closed"

2013-07-31: Telling vendor that security vulnerability will be published on

4th September (no response)

2013-08-14: Answer from Grouplink, asking for advisory details

2013-08-21: Sending advisory details

2013-08-27: Vendor: "undocumented reset admin feature has been removed" and

XSS fixed in next maintenance release (10.0.4) due to "next week"

2013-09-04: Public release of security advisory

 

 

 

Solution:

---------

No vendor patches available. Immediately upgrade to version 10.0.4 as soon

as it is available.

 

 

Workaround:

-----------

Restrict access to the software as much as possible and only allow access for

trusted users and not from the Internet.

 

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF V. Paulikas, J. Greil / @2013