Security issues in TeamPasswordManager and Combodo iTop (CVE-2019-19461, CVE-2019-19821)

Pentagrid AG

2020-03-11 11:00

In 2019 we looked at various products that are used by our customers. This post mentions two rather low hanging fruits that might be still important if the software is used due to their potential impact. These vulnerabilities affect TeamPasswordManager and Combodo iTop.

TeamPasswordManager

The first issue we would like to mention briefly was a post-authentication stored Cross-site Scripting (XSS) in the TeamPasswordManager product (teampasswordmanager.com). CVE-2019-19461 has been assigned to this security problem, allowing an authenticated user to steal other user's passwords when a shared password entry is visited. For a password manager this is a severe security issue. All that was necessary for exploitation, was a user account and using some HTML tags in the password entry name. We sent the details to the vendor and they fixed it. As we later found out, this application had several security issues in the past that were found by Qualys, but unfortunately no CVEs were assigned back then and therefore we didn't find them right away.

Combodo iTop

Another product we looked at in 2019 was the Combodo iTop application. It uses the slogan "ITIL for all", provides a web interface that can be used for various business processes such as incident management and change management. The Combodo iTop is a web-based open-source software to support IT Service Management. It is widely used in small and large enterprises according to Combodo's website. As part of a larger scope of a security analysis, Pentagrid AG has briefly analysed the security of the Combodo iTop software and found an authorization vulnerability. By not following the HTTP Location header in server responses, regular authenticated users can access the web application with administrative privileges. This means we found a web application authorization bypass vulnerability that allows post-authentication privilege escalation in Combodo iTop (CVE-2019-19821).

Impact

Authenticated users can browse and modify the web application as administrators. This includes access to all tickets, the inventory and other information of the organization and other users. This allows access to different functionality of the Configuration Management (e.g. IT inventory), Change Management (e.g. ticketing), Service Management (e.g. provider and SLA management) and potentially other functionality of iTop.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, 8.1 High

Timeline

2019-12-10: Initial contact request sent to Combodo via contact form on Combodo website
2019-12-10: Initial contact request sent to itop-security@combodo.com according to https://github.com/Combodo/iTop/blob/develop/SECURITY.md
2019-12-11: Vulnerability details sent to Combodo
2019-12-12: Combodo reproduced the vulnerability. The release iTop 2.7 will fix the issue end of March. Maintenance releases for iTop 2.5 and 2.6 are released in the meantime to fix the issues.
2020-01-07: Pentagrid informs Combodo that no maintenance release seems to be available yet, recommends early maintainance release to get high patch adoption rate on planned advisory release date (2020-03-10).
2020-03-11: Advisory public release

Affected Components

The iTop web application was tested in version 2.3.1 build 2832 and in version 2.6.1 (unknown build), which were both affected. Other versions are likely to be affected as well.

Technical Details

While the server will respond with HTTP 302 redirect responses when administrative actions are attempted, the redirect will still include a large HTTP body, which constitutes of the entire administrative interface. Additionally, actions in the administrative interface are executed on the server side, meaning modification of the data is possible.

Exploitation

To reproduce the vulnerability, the iTop web application needs to be installed and a regular user account is necessary. To prevent the browser from following redirects it is easiest to use a local proxy software between the browser and the server. Configuring a search and replace rule that deletes the "Location" HTTP response headers is enough to demonstrate the vulnerability.

The iTop demonstration page that allows administrative and user access on the URL https://www.combodo.com/itop-access-to-the-demonstration could be used to demonstrate the issue. When the search and replace rule in the local proxy software was active, a login as a portal user will automatically show the administrative interface.

Precondition

To exploit the vulnerability, an attacker needs access to the iTop web application as a regular user.

Patches and Workaround

iTop Professional and Essential 2.5.4 and 2.6.3 (dedicated to Combodo Clients) have been released on 2020-01-22. iTop 2.5.4 and 2.6.3 (for iTop Community) were released on 2020-02-05.

iTop Professional and Essential 2.7.0 (dedicated to Combodo Clients) should be released on 2020-03-18. iTop 2.7.0 (for iTop Community) should be released on 2020-04-01.

Web Application Firewalls could potentially be configured to strip all HTTP bodies from 302 redirect responses and therefore prevent sensitive information to be extracted in the most simple attack scenario. However, malicious modifications are still possible if such a mitigation is employed and other channels to leak sensitive information might exist.

Credits

This vulnerability has been found by Tobias Ospelt of Pentagrid AG.