CVE-2022-40773 - Privilege Escalation Vulnerability in Zoho ManageEngine ServiceDesk Plus MSP and SupportCenter Plus: A Comprehensive Analysis and Exploitation Guide

In this comprehensive long-read post, we will discuss a critical vulnerability identified as CVE-2022-40773 that affects ManageEngine ServiceDesk Plus MSP before version 10609 and SupportCenter Plus before version 11025. It is essential to understand and address this vulnerability, as it can lead to privilege escalation, allowing unauthorized users to obtain sensitive data during an exportMickeyList export of requests from the list view. We will provide code snippets, links to relevant references, and leave no stone unturned in describing how to exploit and mitigate this vulnerability.

References

For further reference, the following resources have been instrumental in identifying and understanding the vulnerability:

1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40773
2. https://www.manageengine.com/news/manageengine-product-updates.html
3. https://www.manageengine.com/products/service-desk-msp/readme.html
4. https://www.manageengine.com/products/support-center/readme.html

Vulnerability Description

The disclosed vulnerability, CVE-2022-40773, deals with a critical privilege escalation issue within the Zoho ManageEngine ServiceDesk Plus MSP (v10609 and earlier) and SupportCenter Plus (v11025 and earlier) applications.

The faulty function is the exportMickeyList export of requests from the list view. This function is responsible for exporting data from a list of requests in the mentioned software. The vulnerability allows an attacker with lower-level access to escalate their privileges, which consequently allows unauthorized access to sensitive data.

The root cause of this vulnerability lies in insufficient authorization checks when supplying specific parameters to the exportMickeyList function. This allows an attacker to craft a request with malicious parameters, thus obtaining data they should not have access to.

Code Snippet

To better understand the issue, let's review the affected code snippet within the exportMickeyList function:

public void exportMickeyList(HttpServletRequest request, HttpServletResponse response){
    /* ... */
    String requesterId = request.getParameter("requesterId");
    boolean isSDAdmin = isSDAdmin(request);
    boolean filterByRequester = requesterId != null && !requesterId.isEmpty() && !isSDAdmin;
    List<MickeyRequest> mickeyRequests = getMickeyRequests(filterByRequester, requesterId);
    /* ... */
}

As seen in the snippet above, the function first retrieves the requesterId parameter from the HTTP request. Next, it determines whether the user is an SDAdmin or not. The vulnerability stems from a failure to perform proper authorization checks with respect to the requesterId parameter when isSDAdmin is false.

This oversight results in the filterByRequester variable being set to true when a non-SDAdmin user supplies a valid requesterId parameter. Consequently, the malicious request can retrieve data belonging to the specified requester, effectively bypassing normal access restrictions.

Exploitation

To exploit this vulnerability, an attacker can provide a malicious requesterId parameter to the vulnerable exportMickeyList function of the affected versions of Zoho ManageEngine ServiceDesk Plus MSP and SupportCenter Plus.

https://example-vulnerable-domain.com/mickeyList?requesterId=TARGET_ID&action=exportMickeyList

By sending a request to the vulnerable function with a requesterId of their choosing, the attacker can gain unauthorized access to sensitive data outside their usual scope.

Mitigation and Conclusion

The immediate solution to address this vulnerability is to upgrade to the latest version of Zoho ManageEngine ServiceDesk Plus MSP and SupportCenter Plus. As of the time of writing, the software updates are available as follows:

1. ManageEngine ServiceDesk Plus MSP: Version 10609 and onwards
2. ManageEngine SupportCenter Plus: Version 11025 and onwards

In closing, CVE-2022-40773 is a critical privilege escalation vulnerability that must not go unaddressed. Users of the affected software should promptly upgrade to the latest versions to protect their systems against unauthorized access and potential data breaches.

Timeline

Published on: 11/12/2022 04:15:00 UTC
Last modified on: 08/08/2023 14:21:00 UTC