Thursday 5 April 2018

Pentest: 0day in iTop 2.4.0 gave me Domain Admin privileges

This article describes exploitation of a 0day RCE in webapp iTop 2.4.0. After getting a shell, I inserted credential sniffer, and next day walked away with a password of domain administrator.

Further you will find a step-by-step writeup and a link to Metasploit module.



TL;DR:



iTop is a solution for IT Service Management. It allows administrators to manage user requests, incidents, and service catalog in a single web application. If you request a new SSD from IT Department, it will most likely appear as a ticket in iTop. When you will collect your hardware, system administrator will log into iTop and change status of SSD: “assigned to user httpsonly, desk 1337”.

Step 1: Log in by any means
During reconnaissance, I found a domain helpdesk.company.com:

 

According to Documentation, Administrator of iTop can create local users or configure domain authentication:



In my case, I already had credentials of a domain user. Nothings stops you from trying to bruteforce passwords of local users: test:test, 111:111, user1:user1, backup:backup and so on.



Cool! I am logged in as a low-level user.


Step 2: Exploit Indirect Object Reference

Low-level user can access any profile by specifying user id. Here we query user with id=1, which will likely have administrator rights. Server answers with a 302 redirect, but shows the content of the requested page.


Cool! We have the username: “admin”.


Step 3: Change password of administrator
According to Documentation, iTop provides a powerful CSV Import feature to assist end-users (and administrators) in massively creating or updating objects in iTop.


Our low-level user does not have right to create users. Error about insufficient rights appears.
There is no error of insufficient rights if we update a password of existing user. 0day! (take a look at the patch).


Let’s try to exploit it.
During update, iTop’s parsing system correlates all POST data (first name, last name, email, login, etc) with parameters in a database: non-empty database parameters must match POST parameters. Sad, but we do not know all attributes of user admin (e.g. group membership) and cannot specify them.


Trick: if you tell iTop to copy all parameters from a given profile, it will set all non-empty parameters from profile with a given id – think of this action as a pointer to object with property “profileid=1”.



Password changed! You can find full HTTP query in my metasploit module.


Step 4: Login as admin
After we have changed administrator’s password, we can log in using new password:

 
 



Step 5: RCE
Administrator can achieve RCE through ConfigEditor (functionality for editing iTop configuration file). You will be able to execute RCE and leave original configuration file unmodified.




After having RCE, I edited authentication script to record successful login attempts. The following string was added:

./application/loginwebpage.class.inc.php:



Few days later, I got domain admin’s password in log.txt.

2 comments:

  1. Hello,
    I'm a Combodo employee and one of the iTop commiters.

    First of all, many thanks on how you handled this breach discovery : we had the time we need to understand it and produce a clean fix, and contact all of our community !

    As you mentioned, all existing iTop versions to date are affected. The next iTop release (version 2.5) will contain the fix, and will come out very soon (planned for July 2018) !
    Considering the feedback we had from our clients, partners and the community, we have not planned a 2.4.2 release yet.

    To fix the vulnerability on existing versions, you can download a .patch here :
    https://www.combodo.com/fixes/KB1328_csv_import_2.2-2.3-2.4.zip
    It can be applied on versions 2.2 up to 2.4.1 included.
    Note that the patch is the same for all versions, but the sole impacted file (pages/csvimport.php) is not the same between versions. For those who can't use the patch command on their installation, we published a patched file for each iTop version :
    * 2.2.* : https://www.combodo.com/fixes/itop_2.2_csvimport.zip
    * 2.3.* : https://www.combodo.com/fixes/itop_2.3_csvimport.zip
    * 2.4.* : https://www.combodo.com/fixes/itop_2.4_csvimport.zip

    The fix has of course been committed on our SVN SourceForge repository :
    * 2.2.0 branch : r5601 https://sourceforge.net/p/itop/code/5601/
    * 2.3 branch : r5602 https://sourceforge.net/p/itop/code/5602/
    * 2.4 branch : r5598 https://sourceforge.net/p/itop/code/5598/
    * trunk (2.5 beta) : r5597 https://sourceforge.net/p/itop/code/5597/

    Any iTop client can contact Combodo's support team for more information.
    And for iTop community users, the official forum is available on SourceForge : https://sourceforge.net/p/itop/discussion/.

    Best regards,
    Pierre Goiffon for Combodo

    ReplyDelete