CVE-2023-33706: Insecure Direct Object Reference (IDOR) affects Help Desk (SysAid) - CVE-2023-33706

Disclaimer

This Security Advisory is provided on an “as is” basis and do not imply any kind of guarantee or warranty. Your use of the information in this publication or linked materials is at your own risk. PRIDE Security reserves the right to change or update this content without notice at any time.

About manufacturer

Founded in 2002, SysAid Technologies serves over 100,000 organizations across 140 countries. With adaptable solutions, the company caters to both SMEs and Fortune 500-listed organizations, showcasing the versatility of its products.

Site: https://www.sysaid.com/

About the product

The SysAid Help Desk is a platform developed by SysAid Technologies that consolidates various essential functionalities for IT management. Among its notable features are a ticket management tool, a system for IT asset control, self-service options, password reset capabilities, mobile-optimized applications, industry benchmarking tools, and much more.

Site: https://www.sysaid.com/it-service-management-software/help-desk-software

Confirmed vulnerable versions

SysAid Help Desk On-Premise: Version 22.3.35b and lower.
SysAid Help Desk Cloud: Version 23.2.20b39 and lower.

Summary

In April 2023, PRIDE Security discovered a vulnerability in the SysAid Help Desk software, a ticket management tool from SysAid Technologies. This security flaw potentially allows attackers to gain unrestricted access to all tickets, thereby risking exposure of confidential data and communications between requesters and administrative users (at levels N2 and N3), who are responsible for evaluating issues and developing solutions.

CVE-2023-33706: Insecure Direct Object Reference (IDOR)

The SysAid Help Desk enables any user with a valid account on the platform to open and track tickets, exchange messages, and provide additional information if necessary.

When a ticket is opened, the administrator, whether at the second level (N2) or third level (N3), has a variety of tools for its effective management. This includes the option to request additional information from the requester (the user who opened the ticket), facilitating a more precise resolution of the issue. Additionally, in the administrative panel, it is possible to access the entire message history between the requester and the administrator, allowing for tracking of the interaction. It is worth noting that there may be multiple administrators handling different institutions. They do not have access to all tickets from all institutions but only to specific tickets associated with the institution to which they are linked.

To illustrate, by selecting the “Open All” option in the “Messages” tab of a specific ticket, the requester can view the complete history of messages exchanged with the administrator throughout the interaction with the ticket.

• GET /EmailHtmlSourceIframe.jsp?sid={ID}&showHeadSeparator=false&msgId={BASE64}

Figure 1 - Access to a message from ticket 20553.

However, before the platform makes the request to the aforementioned endpoint, another request is executed to the endpoint below. This latter one presents a vulnerability known as Insecure Direct Object Reference (IDOR):

• GET /ShowMessage.jsp?srID={ID}&allMsg=yes&autoMsg=true&notAddingIndexJSP=true

This request allows, before displaying the tickets on the screen, the possibility to modify the value in the “srID” parameter, which represents the numerical identifier of the ticket. With this modification, it becomes possible to access messages belonging to other users of the platform. The ability to enumerate data is limited to the number of tickets that have been opened.

Example – HTTPS Request:

GET /ShowMessage.jsp?srID={ID}&allMsg=yes&autoMsg=true&notAddingIndexJSP=true HTTP/2
Host: helpdesk.redacted.com
Cookie: JSESSIONID={COOKIE}; accountId={ACCOUNT}; rememberMe=Y; userType=ad00;
communityUserName={BASE64}; communityUserHash={BASE64}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)

Below is the HTTPS response displayed in the browser. It is possible to observe the content contained in the “msgID” parameter, encoded in Base64:

Example – HTTPS Response (shortened):

HTTP/2 200 OK
Content-Type: text/html;charset=utf-8
<html>
...
<iframe src="EmailHtmlSourceIframe.jsp?sid={ID}&showHeadSeparator=false&msgId={BASE64}"
frameborder="0"></iframe>
...
</html>

With access to the vulnerable endpoint, any user, even without administrative privileges, can view all tickets, both open and closed, on the platform. To illustrate the flaw, consider the following scenario: an attacker, with requester-level access (i.e., without administrative privileges), is restricted to opening and querying only the tickets they initiated. In this context, suppose the requester (attacker) has exclusive access to ticket number #2406688:

Figure 2 - User’s ticket number logged into the application.

By exploiting the vulnerable endpoint, it is observed that the requester can access tickets that belong to other users of the application. The following figure illustrates the unauthorized access to ticket #2000029, which contains sensitive data from another user on the platform:

Figure 3 - Access to ticket #2000029 belonging to another user.

This vulnerability can be of significant relevance if, during communication between requesters and administrators (N2 or N3), sensitive data such as logins, passwords, tokens, and confidential documents are shared. This information may have been exchanged with the aim of resolving tickets.

Vulnerability remediation

SysAid Technologies announced the releases of versions 23.2.15 (SysAid Help Desk On-Premise) and 23.2.50 (SysAid Help Desk Cloud), informing PRIDE Security that the previously mentioned vulnerability has been resolved in these updates.

It is important to highlight that PRIDE Security has not conducted new tests nor confirmed the effectiveness of these corrections.

Communication timeline with manufacturer

• May 17, 2023 – Contact over e-mail.
• May 18, 2023 – SysAid Technologies acknowledge receipt of the e-mail.
• June 12, 2023 – SysAid Technologies provides a roadmap to fix the issue.
• July 17, 2023 – SysAid Technologies reports that the vulnerability has been fixed.
• November 16, 2023 – Public release (PRIDE Security).

Acknowledgements

Name

Company

André Silva

PRIDE Security

Ricardo B. Gonçales

PRIDE Security

About PRIDE Security

PRIDE Security is a company specialized in information security that focuses on technical excellence and personalized services. Founded by information security experts, we have worked in various types of projects, from ATM (automated teller machines) penetration testing to national security projects.

Composed of an experienced team of more than 15 years in the market and with technical excellence proven by national and international technical recognition, PRIDE Security sees in each project a new challenge to deliver more than expected.

As proof of international technical recognition, our professionals are constantly approved or invited to lecture on security events around the world. We cite below some examples of congresses, conferences and seminars focused on information security, which we participate as lecturers or coordinators of the technical groups:

• Blackhat – USA
• RSA Conference – USA
• Defcon – USA
• ToorCon – USA
• Blackhat – Europe edition
• OWASP AppSec Research – Europe edition
• OWASP AppSecEU09 – Europe edition
• Troppers – Germany
• H2HC (Hackers 2 Hackers Conference) – Brazil
• YSTS (You Sh0t The Sheriff) – Brazil

In addition to lecturing at major security events around the world, our team of experts are also responsible for writing various papers, co-author of offensive technology patent registered in the United States of America (US8756697), finding and publishing security vulnerabilities in famous software such as Sun Solaris, FreeBSD / NetBSD kernel, QNX RTOS, Microsoft ISA Server, Microsoft Word, Adobe Flash, Adobe PDF, among others.

Many organizations of all sizes concerned with information security rely on PRIDE Security. If you desire, we will be pleased to connect you with our customers to share about their experience with our services.

• PrideSec
• Pride Security
• Security Advisory
• Hacking
• SysAid
• SysAid Technologies
• SysAid Help Desk
• CVE