Help Desk Software Needs Help

Monday, June 8, 2015 @ 04:06 PM gHale

SysAid Help Desk software could end up used by an attacker to download and upload files and to execute arbitrary code without authentication.

SysAid is an ITSM (IT service management) product designed to improve a company’s help desk performance via an intuitive platform that allows assigning incident tickets based on their importance and the department responsible for solving them.

Trojan Invisible to AV
Trojan Focuses on Europe, North America
Social Networks: Moose on the Loose
PuTTY Malware Steals Credentials

IT administrators can also use the platform to manage software and hardware assets in the company, create custom reports or pull analytics.

The company said it has over 10,000 organizations using its product, including Coca Cola, Adobe, LG, Panasonic and IKEA.

Security researcher Pedro Ribeiro analyzed version 14.4 of the software and found 11 security holes, with ten affecting the Windows edition and one hitting the Linux release. Exploits for six of them are already present in Metasploit.

The biggest flaw is the one where an attacker could create an administrator account, without needing to authenticate or provide any information.

The vulnerability has a case number of CVE-2015-2993, and Ribeiro said the vulnerability can end up exploited only once, even if the Apache Tomcat server reboots.

Another issue is uploading arbitrary files via directory traversal attacks (CVE-2015-2994, CVE-2015-2995). Exploiting one of them requires an administrator account, but taking advantage of the other can occur without any constraints, and in both cases remote code execution can end up accomplished, Ribeiro said.

In his assessment, Ribeiro found SysAid came with a hard-coded cryptographic key and encryption parameters. Used in conjunction with an arbitrary file download glitch (CVE-2015-2996) also affecting the software, an attacker can obtain the server configuration file and decrypt the database password.

In the security advisory published, the researcher said the encryption algorithm used is DES with an MD5 hash and the key he found was “inigomontoya.”

Also hard-coded is the administrator account password for the SQL Server Express database software, built into SysAid for Windows.

The developer said the current update for SysAid 15.2 mitigates the issues. Ribeira did not run any tests on the new release and cannot confirm if all the vulnerabilities ended up taken care of.