SEC Consult Vulnerability Lab Security Advisory < 20130904-0 > ======================================================================= title: Undocumented password reset and admin takeover & Cross-Site Scripting vulnerabilities product: GroupLink everything HelpDesk vulnerable version: <=10.0.3 fixed version: - impact: Critical homepage: http://www.grouplink.com found: 2013-07-10 by: V. Paulikas, J. Greil SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "everything HelpDesk by GroupLink was designed as an all in one solution for any department in your organization. This solution enables departments to track, automate, and report on incident resolution, change management, and business processes in IT, Human Resources, Facilities Maintenance, Development, Purchasing Departments and more." http://www.grouplink.com Business recommendation: ------------------------ By exploiting the undocumented password reset vulnerability, an _unauthenticated_ attacker can gain administrative access to the affected Helpdesk system very easily and access sensitive internal information of the company, such as all tickets, user accounts, configuration/passwords in clear text (e.g. database credentials), knowledge base, etc. It is highly recommended not to use this software until a thorough security review has been performed by security professionals. As a workaround, the software should not be accessible from the Internet. Limit access only to trusted users internally. It is assumed that further critical vulnerabilities exist, as only a very short sample test has been performed. Vulnerability overview/description: ----------------------------------- 1) Cross-Site Scripting The web application is prone to unauthenticated reflected Cross-Site Scripting attacks. The vulnerability can be used to include HTML or JavaScript code to the affected web page. The code is executed in the browser of users if they visit the manipulated site. 2) Undocumented / insecure password reset function The web application normally allows resetting the password of the user by supplying the email address of the user. If a specific static, easily guessable string is passed instead of the user email, the password of the admin user is being reset to a default value which is publicly known/documented. After the password reset procedure an unauthenticated, anonymous attacker is able to access the administrative panel of the HelpDesk web application with highest access rights. Attackers then gain access to highly sensitive information depending on the usage of the helpdesk system (internal tickets, user database, configuration/passwords in clear text (e.g. database credentials), knowledge base information, etc). Proof of concept: ----------------- 1) Cross-Site Scripting Cross-Site Scripting vulnerabilities can be exploited by tricking the user into accessing a specially crafted URL. This vulnerability was identified in scripts provided below: /j_acegi_security_check (unauthenticated in login page) /config/assignments (only authenticated) Proof of concept URLs have been removed as the vendor did not supply any patches. 2) Undocumented / insecure password reset function In order to exploit the insecure password reset function it is sufficient to supply a certain easily guessable string as the email address. This information has been removed from the advisory, as the vendor did not supply any patches. The password of the administrative account "admin" is then set to a default value of "admin" which can be used for login afterwards. The url of the password reset function: http[s]://www.example.com/ehelpdesk/resetPassword.aglml Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in everything HelpDesk version 10.0.3, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2013-07-17: Contacting vendor through info@grouplink.net & support@grouplink.net, asking for security contact 2013-07-17: Auto-reply of ticket system, ticket automatically closed as SPAM 2013-07-18: Requesting security contact again, via their ticket (helpdesk) system 2013-07-24: Still no reply, sending deadline (4th September) of security advisory release to info@grouplink.net, support@grouplink.net, sales@grouplink.net and multiple other contact email addresses that we automatically received from their ticket system 2013-07-24: Vendor response, accusing us of phishing/spamming Still no security contact provided, asking again, giving deadline for vendor response (2013-07-30) 2013-07-25: Vendor HelpDesk ticket has been set to "closed" 2013-07-31: Telling vendor that security vulnerability will be published on 4th September (no response) 2013-08-14: Answer from Grouplink, asking for advisory details 2013-08-21: Sending advisory details 2013-08-27: Vendor: "undocumented reset admin feature has been removed" and XSS fixed in next maintenance release (10.0.4) due to "next week" 2013-09-04: Public release of security advisory Solution: --------- No vendor patches available. Immediately upgrade to version 10.0.4 as soon as it is available. Workaround: ----------- Restrict access to the software as much as possible and only allow access for trusted users and not from the Internet. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF V. Paulikas, J. Greil / @2013