This report was fully disclosed on 12 October 2018

Summary

passwordmanager.winnipeg.ca appears to be running an outdated build of ZoHo ManageEngine’s ADSelfService Plus. The build running at the time of this report appears to be <=5516 and >=5313.

As per the vendors release notes the following issues are likely to affect these builds. Build numbers listed correspond to the build in which they were patched.

  • (5604) An XSS vulnerability has been fixed.
  • (5520) Security issue in which the HttpOnly flag was missing from the adscsrf cookie has been fixed.
  • (5518) Broken authentication vulnerabilities which can lead to unauthorized access of the product resources.
  • (5517) Vulnerability issue in the Windows logon (GINA/CP) client.
  • (5517) Vulnerability issue which could lead to attackers exploiting unused HTTP methods in the product has been fixed.
  • (5517) XSS issue in enrollment.
  • (5516) Unrestricted file upload issue which could lead to XSS and server-side command execution vulnerabilities has been fixed.
  • (5516) SSRF vulnerability issue which led to NTLM hash disclosure has been fixed.
  • (5516) Reflected cross site scripting vulnerability has been fixed.
  • (5515) Improper authentication during SAML single sign-on that gives way to man in the middle attack by inserting fraudulent user identification has now been fixed.
  • (5511) Vulnerability issues have been fixed.
  • (5509) Vulnerability issue in Windows login client.
  • (5508) Vulnerability issue in the Windows login client.
  • (5505) XSS vulnerability issue while updating manager field using self-directory update.
  • (5504) Some security issues have been fixed.
  • (5326) XSS vulnerability in self-update manager field.
  • (5324) Vulnerability issue in self-password reset and unlock account process.
  • (5319) Fixed a vulnerability issue in two-factor authentication.
  • (5313) Fixed some vulnerability issues.

As I was not able to confirm the exact build, and only a range, some issues listed may not be applicable

Proof of Concept

Although no attempt to exploit any of the applicable vulnerabilities was made, the following details the process of identifying which build is likely to be running.

In the vendors release notes for ADSelfService Plus it is noted that as of build 5517 jQuery bundled with ADSelfService Plus has been upgraded from 1.8.1 to 1.12.2.

We can determine that the current build of passwordmanager.winnipeg.ca is <=5516 as line 32 of showLogin.cc shows script.src = "/adsf/js/common/jquery/jquery-1.8.1.min.js";

We can also determine that the current build is >=5313 as attempts to exploit the reflected XSS vulnerability found in builds <=5312 fails.

Further confirmation of these indicators was done by locally testing multiple versions of ADSelfService.

Remediation Status

At the time of publishing this report the reported issue has been resolved.

Response From Affected Party

Response From [email protected] 05 October 2018

Hello,

Thank you for bringing this matter to our attention. We have confirmed your analysis to be correct and are in the process of scheduling remediation activities. I will send you a follow up email once the patching has taken place so that the fix can be verified and your disclosure made public.

Thank you,

Nick Procyk
Information Security Coordinator
Business Technology Services
City of Winnipeg

Phone: (204)232-9270
Email: [email protected]
Website: winnipeg.ca
Address: 6-510 Main St, Winnipeg, MB R3B 1B9

CONFIDENTIALITY NOTICE: The information contained in this message is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any use, dissemination, distribution, copying or disclosure of this message and attachments, in whole or in part, by anyone other than the intended recipient is strictly prohibited. If you have received this message in error, please notify the sender and permanently delete the complete message and any attachments. Thank you.

Response From [email protected] 12 October 2018

Hello,

As of yesterday morning the system in question has been updated to the latest version recommended by the vendor. Additionally, staff are now closely monitoring the release cycles for this product in order to keep it more up to date in the future.

Thank you again for alerting us to these vulnerabilities.

Nick Procyk
Information Security Coordinator
Business Technology Services
City of Winnipeg
P: 204-232-9270

Timeline

  • 1 October 2018: Affected Party Notified
  • 11 October 2018: Affected Party Released Patch (+10 days)
  • 12 October 2018: Report Published (+11 days)