Manage Engine ServiceDesk Plus Version 9.3 Privileged Account Hijacking CVE-2019-10008

Overview

CVE-2019-10008 Allows any user of ServiceDesk Plus to authenticate as another user.

Bypassing Authentication
Guest to NT AUTHORITY/SYSTEM SHELL
Ata Hakçıl, Melih Kaan Yıldız

Platform allows for authenticating as any user if session cookies are juggled in a very precise way between the platform and the mobile container.
It is really easy to describe on the top level.

We have 2 cookies we are interested in, JSESSIONID and JSESSIONIDSSO.

As far as i understand the problem, the problem arises from the how mobile container handles sessions differently than the rest of the platform.
Below, i’ll try to explain the exact sequence of actions to get the authentication bypass as best as i can.

Step by Step Sequence, Cookie Juggling

We will need multiple different values for the same cookie.
For example, we will have 5 different value for JSESSIONID, so i will refer to them as JSESSIONID[0] to JSESSIONID[4].
We will also have 2 different JSESSIONIDSSO cookies, JSESSSIONIDSSO[0] and [1].

“+” refers to all the other cookies that we will have one instances of. These include stuff like _rem, and 2 other cookies with hex names and values that im not entirely sure what for.

1) Get request to homepage with no session cookies. It will send Set-Cookie JSESSION[0].

2) Post request to login page with JSESSION[0]. It will redirect to homepage.

3) Get request to homepage with JSESSION[0]. It will send Set-Cookie JSESSION[1] and JSESSIONSSO[0].

4) Get request to mc with JSESSIONID[1] and JSESSIONIDSSO[0]. It will send back JSESSIONID[2].

5) Get request to mc logout with JSESSIONID[2], JSESSIONID[1] and JSESSIONIDSSO[0]. This will logout the mobile session, but not the authenticated jsession cookie.

6) Get request to mc dashboard page with same cookies. This will send back Set-Cookies for JSESSIONID[3] and JSESSIONIDSSO[0].
At this point, our mobile session JSESSION[2] is logged out and replaced with JSESSION[3]-JSESSIONSSO[0], but our JSESSION[1]-JSESSIONSSO[0] is still authenticated with the first credentials.

7) Get request to homepage again to be assigned JSESSIONID[4]-JSESSIONIDSSO[0] pair.

8) Post request to mc login page with JSESSIONID[4], JSESSIONID[3] and JSESSIONIDSSO[0]. This will log JSESSIONID[4]-JSESSIONIDSSO[0] pair in no matter the username or password, and redirect to eventually return JSESSIONID[5]-JSESSIONIDSSO[1] pair. This pair can be used to log in as the second user.

Conclusion

You can log in as any user as long as you know the username and you have one valid username-password.
After logging in as user, one can use the “Custom Trigger” option in the admin panel to execute arbitrary code on the server.

You can get from a guest on the website to NT AUTHORITY/SYSTEM on the server.

POC