CVE-2019-10008 Allows any user of ServiceDesk Plus to authenticate as another user.
Guest to NT AUTHORITY/SYSTEM SHELL
Ata Hakçıl, Melih Kaan Yıldız
Platform allows for authenticating as any user if session cookies are juggled in a very precise way between the platform and the mobile container.
It is really easy to describe on the top level.
We have 2 cookies we are interested in, JSESSIONID and JSESSIONIDSSO.
As far as i understand the problem, the problem arises from the how mobile container handles sessions differently than the rest of the platform.
Below, i’ll try to explain the exact sequence of actions to get the authentication bypass as best as i can.
We will need multiple different values for the same cookie.
For example, we will have 5 different value for JSESSIONID, so i will refer to them as JSESSIONID to JSESSIONID.
We will also have 2 different JSESSIONIDSSO cookies, JSESSSIONIDSSO and .
“+” refers to all the other cookies that we will have one instances of. These include stuff like _rem, and 2 other cookies with hex names and values that im not entirely sure what for.
1) Get request to homepage with no session cookies. It will send Set-Cookie JSESSION.
2) Post request to login page with JSESSION. It will redirect to homepage.
3) Get request to homepage with JSESSION. It will send Set-Cookie JSESSION and JSESSIONSSO.
4) Get request to mc with JSESSIONID and JSESSIONIDSSO. It will send back JSESSIONID.
5) Get request to mc logout with JSESSIONID, JSESSIONID and JSESSIONIDSSO. This will logout the mobile session, but not the authenticated jsession cookie.
6) Get request to mc dashboard page with same cookies. This will send back Set-Cookies for JSESSIONID and JSESSIONIDSSO.
At this point, our mobile session JSESSION is logged out and replaced with JSESSION-JSESSIONSSO, but our JSESSION-JSESSIONSSO is still authenticated with the first credentials.
7) Get request to homepage again to be assigned JSESSIONID-JSESSIONIDSSO pair.
8) Post request to mc login page with JSESSIONID, JSESSIONID and JSESSIONIDSSO. This will log JSESSIONID-JSESSIONIDSSO pair in no matter the username or password, and redirect to eventually return JSESSIONID-JSESSIONIDSSO pair. This pair can be used to log in as the second user.
You can log in as any user as long as you know the username and you have one valid username-password.
After logging in as user, one can use the “Custom Trigger” option in the admin panel to execute arbitrary code on the server.
You can get from a guest on the website to NT AUTHORITY/SYSTEM on the server.