Missing Function Level Access Control Vulnerabilities in Maian Support Helpdesk Allow Complete Take Over of the System

This article looks into the details of how malicious hackers can exploit a number of missing function level access control vulnerabilities to take over an installation of Maian Support Helpdesk, a web application developed in php.

Missing Function Level Access Control vulnerabilities are listed as the 7th most popular vulnerabilities in the OWASP top 10 of 2013. You might have never heard the name before, but most probably you are familiar with the concept: If a user shouldn’t have access to a resource, restrict it and only grant it to users with the according privileges. This is a fairly simple, right?

However it can happen that a developer forgets to implement the appropriate checks. For example he restricts access to an admin panel, but forgets to also restrict access to a resource from an API endpoint that is used for administratives functions. This is exactly what we found in the Maian Support web application.

What is Maian Support?

Maian Support is a PHP powered helpdesk system. It can run on PHP7 and by default has a responsive design built using the bootstrap framework. Users can create tickets which can be viewed and edited by designated support agents. In the free version the number of agents is limited to two.

The vulnerabilities in Maian Support

Maian Support does not check whether or not the Ajax calls on some critical functions are authenticated. The only check that is being done is whether or not the user is allowed to use the admin panel. This leads to a number of problems as explained below.

Malicious Users Can Upload Any File to the System

Majan Support users can create a FAQ page on the helpdesk system. Administrators can also add attachments to the FAQs without any limitations on the filetype or ending. Under normal circumstances this means that only a malicious user with administrative access can upload a shell. However since there is no access control on the API endpoint, an attachment can be uploaded by everyone, including non authenticated users.

This renders all application security implementations useless. We can upload a .php file that contains a function which issues controlled system commands. This grants us with access to the server that the same privileged user running the server software has. All we have to do is to upload a file to /admin/index.php?ajax=faqattach and open the file that is saved under /content/attachments-faq/filename.php

One would imagine that a hotfix for this vulnerability is to only let administrators that are logged in and have the right privileges upload FAQ attachments. Though it seems that such hotfix is not enough, as explained in the following section, in which we assume that a hotfix has been applied.

Malicious Users Can Create Other User Accounts on the System

In a typical scenario, administrators can create other users and grant them permissions for specific tasks, for example allow them to upload attachments on FAQs. In Maian Support user creation is also not limited to administrators only, and anyone can create another user. The only limitation is that the free version has a two-user-limit. More on that later.

Let’s assume that there is only one administrator account. We can simply add another user by sending a request to /admin/index.php?ajax=team with the following POST data among others:

enabled=yes | User Account is enabled
name=name | User Name
email=name@domain.extension | Email
accpass=password | Passwords
accessPages[]=attachments | Pages that are accessible
[...]

The above privileges are just enough for a user to upload and manage attachments, which was our goal. However the account cannot be created if there are already two accounts in the free version. This means that we can’t get access to the admin panel, and since we assume that the unauthenticated shell upload is fixed now, we can’t even upload our shell. Though there is still another bypass which we can take advantage of to hack into the Maian Support web application.

Editing of the Existing Administrator Account

In a typical environment administrators can manage other team members and reset their passwords, grant or revoke privileges and change email addresses. Yet again, in Maian support user account changes can be done without being authenticated.

In case there is a two-account limit, and there are already two accounts on the system, we can use this method to hack into the Maian Support helpdesk system. This attack can’t be done on the administrator account with ID 1, so we have to get the next available ID, which is a bit tricky.

The IDs are incremented but we can’t rely on the message that the API endpoint returns, because this will always be an error message. The error could be caused because we do not have the required privileges, but it works nonetheless. To be sure whether or not we guessed the second administrator account, we could either try to log in with the new credentials or send the same request. Since Maian Support does not allow two users to have the same email address, if we get an error message that a user with the same email address already exist we can assume that the attack worked.

This is not really important for manual exploitation, but it is for an exploit that uses this vulnerability for a shell upload. The vulnerable endpoint is /admin/index.php?ajax=team, the same as before. But this time we use different POST parameters. After we changed the password and email of a user we can login and upload our shell. Below is a screenshot of the exploit being executed automatically via a php script.

Executing the exploit against the Maian web application

Building an Exploit with the Above Vulnerabilities

With the knowledge we gathered we can write an exploit that abuses the above mentioned web application vulnerabilities to gain shell access on servers running the Maian Support helpdesk system. In the exploit:

  1. We try to create a new administrator account and hope that either the target is a paid version or there is only one account.
  2. If that fails we fall back to our backup plan and try to change the credentials of an existing user. Since we don’t know the exact ID we try to change the username and password for every id in a certain range until we get an “Email address already exists” error.
  3. Then we log in with our new credentials and grab the session ID that was created in the process.
  4. We are now a logged in and can use the session ID together with the FAQ file upload to upload a shell and issue commands.

Below is a proof of concept video showing how an attacker can simply script and automate the exploitation of these vulnerabilities to gain full administrative access on an an instance of Maian Helpdesk Support web application.

Disclosure

The Maian Support developer David Ian Bennett was very professional and responded in a timely fashion. He posted an advisory on the 10th of December and immediately notified all Maian Support customers to patch their installations as soon as possible. Therefore if you are running Maian Support make sure that you use the latest version. Actually, from the security point of view it is vital to always run the latest version of the software and web applications that you are using.

Sven Morgenroth

About the Author

Sven Morgenroth - Senior Security Engineer