Insecure Direct Object Reference (IDOR) affects Help Desk (SysAid) - CVE-2023-33706

Disclaimer

This Security Advisory is provided on an "as is" basis and do not imply any kind of guarantee or warranty. Your use of the information in this publication or linked materials is at your own risk. PRIDE Security reserves the right to change or update this content without notice at any time.

About manufacturer

Founded in 2002, SysAid Technologies serves over 100,000 organizations across 140 countries. With adaptable solutions, the company caters to both SMEs and Fortune 500-listed organizations, showcasing the versatility of its products.

Site: https://www.sysaid.com/

About the product

The SysAid Help Desk is a platform developed by SysAid Technologies that consolidates various essential functionalities for IT management. Among its notable features are a ticket management tool, a system for IT asset control, self-service options, password reset capabilities, mobile-optimized applications, industry benchmarking tools, and much more.

Site: https://www.sysaid.com/it-service-management-software/help-desk-software

Confirmed vulnerable versions

SysAid Help Desk On-Premise: Version 22.3.35b and lower.
SysAid Help Desk Cloud: Version 23.2.20b39 and lower.

Summary

In April 2023, PRIDE Security discovered a vulnerability in the SysAid Help Desk software, a ticket management tool from SysAid Technologies. This security flaw potentially allows attackers to gain unrestricted access to all tickets, thereby risking exposure of confidential data and communications between requesters and administrative users (at levels N2 and N3), who are responsible for evaluating issues and developing solutions.

CVE-2023-33706: Insecure Direct Object Reference (IDOR)

The SysAid Help Desk enables any user with a valid account on the platform to open and track tickets, exchange messages, and provide additional information if necessary.

When a ticket is opened, the administrator, whether at the second level (N2) or third level (N3), has a variety of tools for its effective management. This includes the option to request additional information from the requester (the user who opened the ticket), facilitating a more precise resolution of the issue. Additionally, in the administrative panel, it is possible to access the entire message history between the requester and the administrator, allowing for tracking of the interaction. It is worth noting that there may be multiple administrators handling different institutions. They do not have access to all tickets from all institutions but only to specific tickets associated with the institution to which they are linked.

By selecting the "Open All" option in the "Messages" tab of a specific ticket, the following endpoint is requested, and thus, the requester can view the complete history of messages exchanged with the administrator throughout the interaction with the ticket.

• GET /EmailHtmlSourceIframe.jsp?sid={ID}&showHeadSeparator=false&msgId={BASE64}

However, before the platform makes the request to the aforementioned endpoint, another request is executed to the endpoint below. This latter one presents a vulnerability known as Insecure Direct Object Reference (IDOR).

• GET /ShowMessage.jsp?srID={ID}&allMsg=yes&autoMsg=true&notAddingIndexJSP=true

This request allows, before displaying the tickets on the screen, the possibility to modify the value in the "srID" parameter, which represents the numerical identifier of the ticket. With this modification, it becomes possible to access messages belonging to other users of the platform. The ability to enumerate data is limited to the number of tickets that have been opened.

Example – HTTPS Request:

GET /ShowMessage.jsp?srID={ID}&allMsg=yes&autoMsg=true&notAddingIndexJSP=true HTTP/2
Host: helpdesk.redacted.com
Cookie: JSESSIONID={COOKIE}; accountId={ACCOUNT}; rememberMe=Y; userType=ad00;
communityUserName={BASE64}; communityUserHash={BASE64}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)

Below is the HTTPS response displayed in the browser. The "sid" parameter contains the ticket identifier (e.g., 123). The Base64 content refers to each message exchanged within the ticket between the requesting user and the administrators (N2 or N3).

Example – HTTPS Response (shortened):

HTTP/2 200 OK
Content-Type: text/html;charset=utf-8
<html>
...
<iframe src="EmailHtmlSourceIframe.jsp?sid={ID}&showHeadSeparator=false&msgId={BASE64}"
frameborder="0"></iframe>
...
</html>

With access to the vulnerable endpoint, any user, even without administrative privileges, can view all tickets, both open and closed, on the platform. To exemplify the flaw, imagine the following scenario: An attacker, with requester-level access, meaning without administrative privileges, is restricted to opening and consulting only the tickets they have originated. In this context, suppose the requester (attacker) has access only to ticket #123.

By exploiting the vulnerable endpoint, they can access tickets from other users on the platform. For example, a ticket like #500, opened by a requester from another company, could be easily accessed by the attacker, resulting in a compromise of information confidentiality.

This unauthorized access represents a critical vulnerability in the platform's security if, during communication between requester and administrator users (N2 or N3), there is sharing of sensitive data such as logins, passwords, tokens, and confidential documents that may have been exchanged for the resolution of tickets.

Vulnerability remediation

SysAid Technologies announced the releases of versions 23.2.15 (SysAid Help Desk On-Premise) and 23.2.50 (SysAid Help Desk Cloud), informing PRIDE Security that the previously mentioned vulnerability has been resolved in these updates.

It is important to highlight that PRIDE Security has not conducted new tests nor confirmed the effectiveness of these corrections.

Communication timeline with manufacturer

• May 17, 2023 – Contact over e-mail.
• May 18, 2023 – SysAid Technologies acknowledge receipt of the e-mail.
• June 12, 2023 – SysAid Technologies provides a roadmap to fix the issue.
• July 17, 2023 – SysAid Technologies reports that the vulnerability has been fixed.
• November 16, 2023 – Public release (PRIDE Security).

Acknowledgements

About PRIDE Security

PRIDE Security is a company specialized in information security that focuses on technical excellence and personalized services. Founded by information security experts, we have worked in various types of projects, from ATM (automated teller machines) penetration testing to national security projects.

Composed of an experienced team of more than 15 years in the market and with technical excellence proven by national and international technical recognition, PRIDE Security sees in each project a new challenge to deliver more than expected.

As proof of international technical recognition, our professionals are constantly approved or invited to lecture on security events around the world. We cite below some examples of congresses, conferences and seminars focused on information security, which we participate as lecturers or coordinators of the technical groups:

• Blackhat – USA
• RSA Conference – USA
• Defcon – USA
• ToorCon – USA
• Blackhat – Europe edition
• OWASP AppSec Research – Europe edition
• OWASP AppSecEU09 – Europe edition
• Troppers – Germany
• H2HC (Hackers 2 Hackers Conference) – Brazil
• YSTS (You Sh0t The Sheriff) – Brazil

In addition to lecturing at major security events around the world, our team of experts are also responsible for writing various papers, co-author of offensive technology patent registered in the United States of America (US8756697), finding and publishing security vulnerabilities in famous software such as Sun Solaris, FreeBSD / NetBSD kernel, QNX RTOS, Microsoft ISA Server, Microsoft Word, Adobe Flash, Adobe PDF, among others.

Many organizations of all sizes concerned with information security rely on PRIDE Security. If you desire, we will be pleased to connect you with our customers to share about their experience with our services.