search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
8.99k stars 2.57k forks source link

manageengine-servicedesk-plus-user-enumeration #6074

Open lopesg opened 1 year ago

lopesg commented 1 year ago

Template Information

Version 9.0 and below of ManageEngine ServiceDesk allow an unauthenticated attacker to request the “AJaxDomainServlet” script to enumerate arbitrary usernames and domains. If the user does not exist, the servers replies with the null value. If the user exists, the servers returns the domain name where the user belongs. This issue was fixed on version 9.0 Build 9031.

For this template, I choosed to test a non existant user. If the server returns null, a vulnerable version is used. The template only tests the unauthenticated issue.

Nuclei Template

id: manageengine-servicedesk-plus-user-enumeration

info:
  name: ManageEngine ServiceDesk Plus User Enumeration Vulnerability
  author: Guillaume Lopes
  severity: info
  description: ManageEngine ServiceDesk Plus is vulnerable to unauthenticated user enumeration. The application returns the domain name if the user specified on the search parameter exists.
  reference:
    - https://www.tenable.com/plugins/nessus/86444
    - https://www.rewterz.com/vulnerabilities/manageengine-servicedesk-plus-user-enumeration-vulnerability
    - https://www.exploit-db.com/exploits/35891
  classification:
    cvss-metrics: CVSS:2/AV:N/AC:L/Au:N/C:P/I:N/A:N
    cvss-score: 5
  tags: manageengine,enumeration,exposure

requests:
  - method: GET
    path:
      - "{{BaseURL}}/domainServlet/AJaxDomainServlet?action=searchLocalAuthDomain&search=nonexistant"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'null'

      - type: status
        status:
          - 200
ritikchaddha commented 1 year ago

Hello @lopesg, thank you for sharing this template with us 🍻

While validating this template, apart from null I came across some other responses also like showAllDomains and Not in Domain, are the hosts having these responses are also vulnerable?

Also, Feel free to join the discord server if you have more info that you can share directly over DM.

lopesg commented 1 year ago

Hello @ritikchaddha,

Sorry for the delay to answer.

On my testing, I didn't get this behavior. I got only to 2 different answers. First, if the user does not exist, the application replied with a null value. However, if the user exists the application returns the name of the domain where the user belongs. For instance, if the domain name is TOTO, the application returns TOTO.

Right now, I don't have any vulnerable instance where I can check.

But I'm not sure it means the application is vulnerable.

aringo commented 1 year ago

For additional context got Not in Domain on a system that did not look to utilize LDAP. This is probably auth specific.