exploit the possibilities

OTRS Install Dialog Disclosure

OTRS Install Dialog Disclosure
Posted Jun 8, 2017
Authored by Sebastian Auwarter

Due to insufficient checking of privileges, it is possible to access the OTRS Install dialog of an already installed instance, which enables an authenticated attacker to change the database settings, superuser password, mail server settings, log file location and other parameters. Versions affected include OTRS 5.0.x, OTRS 4.0.x, and OTRS 3.3.x.

tags | exploit
advisories | CVE-2017-9324
MD5 | efafc0e41477df3d84615060123f01b0

OTRS Install Dialog Disclosure

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2017-018
Product: OTRS
Manufacturer: OTRS
Affected Version(s): OTRS 5.0.x, OTRS 4.0.x, OTRS 3.3.x
Fixed Version(s): OTRS 5.0.20, OTRS 4.0.24, OTRS 3.3.17
Tested Version(s): 5.0.19
Vulnerability Type: Access to Installation Dialog
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2017-05-30
Solution Date: 2017-06-06
Public Disclosure: 2017-06-08
CVE Reference: CVE-2017-9324
Author of Advisory: Sebastian Auwarter, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

OTRS is a ticket management system.

The manufacturer describes the product as follows (see [1]):

"OTRS is one of the most flexible web-based ticketing systems used for
Customer Service, Help Desk, IT Service Management. With a fast
implementation and easy customization to your needs it helps you
reducing costs and increasing the efficiency and transparency of your
business communication."

Due to insufficient checking of privileges, it is possible to access
the OTRS Install dialog of an already installed instance, which enables
an authenticated attacker to change the database settings, superuser
password, mail server settings, log file location and other parameters.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The recommended way to install OTRS is to use the installation dialog
found at http://vulnerablehost/otrs/installer.pl. After successful
installation, OTRS prevents further use of this installer. Any
authenticated user can access the installation functionality of OTRS
by referencing the installer via a crafted url. The URLs that can be
used to access the installer can be one of the following:

* http://vulnerablehost/otrs/index.pl?Action=Installer
* http://vulnerablehost/otrs/index.pl?Action=Installer;Subaction=Intro
* http://vulnerablehost/otrs/index.pl?Action=Installer;Subaction=Start
* http://vulnerablehost/otrs/index.pl?Action=Installer;Subaction=System

At the end of each "installation" step, the user is redirected to the
start page. Therefore, the next step of the installation dialog must be
called directly using the Intro, Start (Database) or System subaction,
respectively.

By Using the installer tool, an attacker can change a variety of
parameters, including the superuser password, database settings, mail
server settings, log file location and instance ID.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

On a newly installed instance of OTRS, logged in as any valid user,
navigate to index.pl?Action=Installer;Subaction=Start to change the
database parameters or to index.pl?Action=Installer;Subaction=System to
get a superuser password.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

This vulnerability is fixed in the latest versions of OTRS, and it is
recommended to upgrade to the latest patch level.

Fixed releases can be found at:

https://www.otrs.com/category/release-and-security-notes-en/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2017-05-30: Vulnerability discovered
2017-05-30: Vulnerability reported to manufacturer by project member
2017-06-06: Vulnerability reported to manufacturer via security
advisory
2017-06-06: Fix provided by manufacturer
2017-06-06: Vulnerability disclosed by manufacturer
2017-06-08: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for OTRS
https://www.otrs.com/
[2] SySS Security Advisory SYSS-2017-018
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-018.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Auwarter of SySS
GmbH.

E-Mail: sebastian-auwaerter@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Auwaerter.asc
Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJZORr6AAoJEOmjDUji8Ki2Lt0P/iZ6DLr1ezWAhEHLxEdsrmGT
OTpXaT3ANvvzWf4HH5NsIF/Q+kZAymNsW53MXxLJA0wZCj9t5cKR4UHptgd83W0h
oNe3yOnYWPMf0L25PqNBy0wWVLLKL2Zme3xhSEYiEmbOCYERjr6IeX5td1i+PwwC
wOkrYt/98o+XwtkMk25QyrQ0/IypNescPX2wj6zkOHkv0FcZUDsrAyOPFYBEyQ9q
7VUnNnUZlZK5h8hJZQ63c+5I/Ql5FxqtzPdkiZeYkj3oavaipWTKm2goCFzU8fA1
V1V5/ohQNd1Rk5sH+0NtC3KIMhbCA2hmH586jyDAgtZg6oRPXrHM4wFZE2SICKWy
HeXIc1HUs6cvPFkFaxTNFL3Grb5NBuDBGxgwC7IQQ23pR3vYU3ckXC7UOj69sYSS
bvGtcleYU17J7ND3YgQeVzMr58S/9i/mhZ/ya4WIGCp+9zh4YZiKzGK0PqFON+nn
OQrQBLTwwTZz/VJJyWeaNWc7m4R4BXwi/BeYlAV3t51srWwCUV23NxDEXjKu4TZ7
0f93N0qYcSpVi0CIwPtA5IDTVNhOWSLzeco1zitJvDq5V9l4gbyAISXOFV12RxSh
cduM6hUc6ALp1UziHQRpD8xUhFbF03WVysN5wHXrM9+d+TaVZ92KOaCv6VIWDVBh
63bQpoUQZ8L4LfzusTTl
=EuyE
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    6 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close