Benefits of Web Help Desk Software
A Web Help Desk is a powerful software solution for managing and automating remote assistance tickets. It allows users to create FAQs and Knowledge Base articles, and promotes end-user self-service. With the built-in reporting and dashboards, it provides essential insights and metrics for your company. In addition, this application reduces overhead costs by facilitating employee self-service through knowledge base articles and FAQs. It also automates escalation processes, enables mobile notifications, and enables self-service through knowledge base articles and FAQ sections.
In addition to the various features of the program, a web help desk is also connected to a panel. With this feature, the user can configure their accounts at a web browser level. Since the software is accessible from anywhere, it doesn’t require a server or any IT expertise. It is also accessible anytime, anywhere. With a web-based system, it’s easy to use and adapts to the needs of growing businesses.
A Web Help Desk can discover assets and associate them with end-users, as well as help desk tickets, thus providing a complete audit trail. This audit trail can help identify costly repairs and inform asset replacement decisions. A Web Help Desk can be configured to take full control of incident management. It can also automatically convert emails into tickets, route them to staff groups, and enable automatic escalation based on business requirements. It also features a comprehensive audit trail of help desk tickets.
A web help desk can be connected to a panel, which makes it easier to manage. The configuration of this program is performed at the web browser level, which means it is easy to use, no matter how many people access it. Moreover, it doesn’t require any IT expertise, which makes it the perfect solution for businesses with a wide variety of customer support needs. There are even cloud-based versions of this software that adapt to changing requirements.
What is the Solarwinds Web Help Desk and how can it help you?
Marketing materials by Solarwinds:
Solarwinds Web Help Desk allows you to manage all end-user troubles tickets and track the service request lifecycle from ticket creation through resolution from one central help desk management web interface.
Web Help Desk makes it easy to submit help desk tickets, manage IT assets and provide end-user support.
The Attack Surface Map
We discovered that Web Help Desk also used a framework called
WebObjects when we tried the web application. The following was an example HTTP request for the
The routing was not clear to us. The file didn’t provide any information about the HTTP request that we saw when we used the web application. Analyzing the file revealed that there was also a Spring application.
We were unable to find any information in the file about how this route was declared and mapped so we did some very basic searches through the codebase to determine where it was being mapped.
Our experience shows that routes don’t always correspond to the request. Other methods may be used to infer details like the extension
or.json. This is a common convention you might have encountered when auditing Ruby on Rails apps.
To locate the routing of the application, we created a simple but effective regex:
database. *test. The following match was returned by this query:
/whd/helpdesk/WEB-INF/lib/com/macsdesign/whd/ui/Application.java: 494 /* */ 495 /* */ 496: /* 496 */ routeRequestHandler.addRoute(new ERXRoute("HelpdeskInitializer", "/configuration/database/test", ERXRoute.Method.Put, WhdInitializationController.class, "testDatabaseSettings")); 497 /* */ 498 /* */
Perfect. This is how the
HTMLObjects routes look. We found the
Application.java file containing the routes for the
HTMLObjects components of this application.
As we mentioned, the file suggested that there was also a Spring application running in Web Help Desk. As we are familiar with Spring, it was easier to identify the attack surface for this part of the application.
It is a good idea to search the
@RequestMapping code base in order to identify all Spring routes. This returned a lot of controllers with routes mapped through Spring Framework.
We’ve already mapped the routes and have a good idea of what is accessible and exposed in the web application. However, we decided to look through the remaining files in the code base in order to find any obvious omissions.
function callAddNoteToOrionAlert(frm) startAPIcall(); try ... omitted for brevity ... var auth = loginName:'helpdeskIntegrationUser', password:'dev-C4F8025E7'; RestInvokeAuth("/integration/orionAlertSource/"+id+"/alert/addNote", "POST", data, auth); catch (err) failedAPIcall(err);
We noticed that these credentials had been hardcoded in a client side API call. So we searched the codebase for to see what access they would allow us.
We found more credentials declared at
package com.solarwinds.whd.common; public abstract class ConstantsAndSettings public static final String DEVELOPMENT_SPRING_PROFILE = "development"; public static final boolean HELPDESKINTEGRATION_ENABLE_DEV_ANYADDRESS = true; public static final boolean HELPDESKINTEGRATION_ENABLE_DEV_LOGIN = true; public static final String HELPDESKINTEGRATION_REALM_NAME = "Helpdesk integration"; public static final String HELPDESKINTEGRATION_PRODUCTION_LOGINNAME = "helpdesk91114AD77B4CDCD9E18771057190C08B"; public static final String HELPDESKINTEGRATION_PRODUCTION_PASSWORD = "1A11E431853F4CC99C27BF729479EB5D"; public static final String HELPDESKINTEGRATION_DEVELOPMENT_LOGINNAME = "helpdeskIntegrationUser"; public static final String HELPDESKINTEGRATION_DEVELOPMENT_PASSWORD = "dev-C4F8025E7"; public static final long SSOAUTH_RECHECK_INTERVAL = 15000L; public static final String PRIVILEGED_NETWORKS_PROPERTY = "WHDPrivilegedNetworks";
We discovered that the application contained two sets of hardcoded credentials after reading the above. One for , and one for production . This was crucial because only the
production credentials were used in our final exploit.
We now have the hardcoded credentials. We searched the codebase to see if any authentication logic was being used that relied upon these credentials.
These credentials were accepted at multiple places in the source code:
/whd/helpdesk/WEB-INF/lib/com/macsdesign/whd/rest/controllers/BasicAuthRouteController.java– Accepts both development and production credentials
/whd/helpdesk/WEB-INF/lib/com/solarwinds/whd/service/impl/auth/HelpdeskIntegrationAuthenticationManager.java– Accepts both development and production credentials
/whd/helpdesk/WEB-INF/lib/com/solarwinds/whd/service/impl/auth/ClusterNodeAuthenticationManager.java– Only accepts production credentials
In order to determine which authentication managers were in use, we were able to refer to
whd/helpdesk/WEB-INF/lib/whd-security.xml which declared this information like so:
... omitted to save space...
We have an understanding of the attack surface as well as the authentication requirements for the different routes within the application. It was time to dig into the logic of
helpdeskIntegrationAuthenticationManager as we were interested in an endpoint located in the
The source code for
HelpdeskIntegrationAuthenticationManager.java can be found below:
/* 52 */ WebAuthenticationDetails details = (WebAuthenticationDetails)token.getDetails(); /* */ /* 54 */ boolean isDevelopment = this.environment.acceptsProfiles(new String "development" ); /* 55 */ boolean validCredentials = false; /* 56 */ if ("helpdesk91114AD77B4CDCD9E18771057190C08B".equals(loginName) && "1A11E431853F4CC99C27BF729479EB5D" /* 57 */ .equals(password)) /* */ /* 59 */ validCredentials = true; /* */ /* 61 */ else if (isDevelopment && "helpdeskIntegrationUser" /* 62 */ .equals(loginName) && "dev-C4F8025E7" /* 63 */ .equals(password)) /* */ /* 65 */ validCredentials = true; /* */ /* 67 */ boolean isAllowedAddress = InternalCommunicationUtils.isAllowedAddress(details.getRemoteAddress(), isDevelopment); /* 68 */ if (isAllowedAddress) /* 69 */ if (validCredentials) /* */ /* 71 */ SimpleGrantedAuthority simpleGrantedAuthority = new SimpleGrantedAuthority("ROLE_INTEGRATION"); /* */ /* */ /* 74 */ UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(null, password, Arrays.asList(new GrantedAuthority (GrantedAuthority)simpleGrantedAuthority )); /* */ /* 76 */ result.setDetails(token.getDetails()); /* 77 */ return (Authentication)result; /* */ /* */ /* */ /* 81 */ throw new BadCredentialsException(this.messages /* 82 */ .getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials")); /* */
Let’s get down to it.
token.getDetails();– this sets
Boolean isDevelopmentThis evaluates to false by default
else if (isDevelopment && "helpdeskIntegrationUser"– this block of code won’t run
InternalCommunicationUtils.isAllowedAddress– checks if
request.getRemoteAddr();is a loopback address
new SimpleGrantedAuthority("ROLE_INTEGRATION");– if all conditions pass, we get
You may be thinking that we wont be able to take this exploit further due to
InternalCommunicationUtils.isAllowedAddress checking if our request comes from a loopback address.
Here is the fun part. Solarwinds Web Help Desk deployed via reverse proxy on the same host does not provide protection. In this scenario,
isAllowedAddress will evaluate to true as
request.getRemoteAddr() will return a loopback IP address, allowing for further exploitation.
Later, we confirmed our suspicions when we discovered numerous vulnerabilities that could be exploited in the wild. This mitigation, in our opinion, is a temporary fix for a larger architectural problem that ignores security principles when designing authentication.
We now have some authentication to Solarwinds Web Help Desk via the hardcoded credentials. What is the worst that we can do?
We found the following code after analysing Spring controllers now accessible via our hardcoded credentials:
/* */ @RequestMapping(value = "/rawHQL", method = RequestMethod.POST) /* */ @ResponseBody /* */ @ResponseStatus(HttpStatus.OK) /* */ public String getStringResult(@RequestBody String selectHQL) throws Exception /* 36 */ logger.debug("Received request for result of this hql=", selectHQL); /* 37 */ return this.assetReportService.getStringHQLResult(selectHQL); /* */
Tracing the code for
this.assetReportService.getStringHQLResultwe found the following sink:
/* */ public String getStringHQLResult(String hql) /* 61 */ String result = ""; /* 62 */ Query query = this.entityManager.createQuery(hql); /* 63 */ List items = query.getResultList(); /* */ /* */ /* 66 */ result = result + result; /* 67 */ return result; /* */
It was somewhat surreal to find the controller. It was amazing to discover an endpoint that could execute any arbitrary HQL. The controller will help you evaluate any HQL query that we give it.
We could create HQL queries on these tables as long as our codebase contained Hibernate Java Classes for the databases we wanted to interact with.
It seems so simple, let’s see if we can make it work.
True story: We spent more than an hour trying to fix this endpoint in Burp Suite that was unable execute queries despite having the correct HQL syntax. We were so confused.
This is a simple POST request. What could be more difficult than exploiting this issue. This is what we saw:
"reason":"org.hibernate.hql.internal.ast.QuerySyntaxException: unexpected token: Cpassword near line 1, column 15 [select+email%2Cpassword+from+Tech=]"
URL encoding was the transformation of a query to something that would cause a query syntax exception to Hibernate.
We were willing to spend an hour trying to debug this but another colleague suggested that we send the request with
Content Type: plain.
Finally, it worked.
In order to exploit this bug,
request.getRemoteAddr() must evaluate to a loopback address. This happens when the reverse proxy is running on the same host.
Below is a proof-of-concept of this vulnerability
The following will be returned:
These issues were dealt with seriously by Solarwinds. We appreciate their cooperation in resolving this issue and in corresponding with us.
This issue was reported to Solarwinds on October 23, 2021.
Below is the timeline for this disclosure process:
- October 23rd, 2021 – Disclosure of hardcoded credentials to Solarwinds PSIRT and HSQL vulnerability
- November 8th, 2021 – Response from Solarwinds confirms receipt of vulnerability
- November 25th, 2021 – Response from Solarwinds confirms patch release date
- December 23rd, 2021 – Response from Solarwinds confirms release of Web Help Desk 12.7.7 hotfix 1
Solarwind’s advisory provides satisfactory details that will help ensure that the vulnerability is not exploited. Here is the knowledge base article that details the workarounds or patches to be applied.
Solarwinds Web Help Desk contained hardcoded credentials. These credentials allowed access to sensitive controllers capable of running arbitrary HQL queries. An attacker could use this vulnerability to modify, update, delete or insert nearly any information in the database.
Assetnote’s Security Research Team is constantly looking for security flaws in enterprise software as part of our Continuous Security Platform development. This helps customers to identify security problems across their attack surface.
This research shows that organizations that use enterprise software often have poor visibility or misunderstand the risks. Organizations tend to focus too much on network and in-house issues, at the expense or visibility and awareness of third-party software. We have seen that many vulnerabilities remain in enterprise software, which is not always obvious.
This vulnerability was first discovered by customers of our Attack Surface Management platform. Contact us if you’re interested in having a complete, real-time view of your attack surface.
Assetnote is Hiring!
For current opportunities, please visit our careers page. Even if you don’t see any open positions in your field, we are always looking for the best talent.
An important benefit of a Web Help Desk is that it is easy to use and is customizable. Users can access information and configure settings at the web browser level, and can even manage customer tickets and IT assets. These systems are great for businesses that require a flexible and user-friendly system. These programs are also highly secure and can be used to streamline help desk ticket management processes. You can choose to purchase one that includes additional tools to manage customer service requests.
A Web Help Desk allows you to keep track of your assets. By automatically discovering and assigning computer hardware and software assets to specific users, you can easily manage your IT assets and ensure they are in good condition. Your employees will appreciate the automated inventory alerts, which will streamline your IT inventory planning and minimize costs. Using this software for your IT asset management tasks will save you time. The web help desk will also automate your inventory and help you manage it more effectively.
A Web Help Desk connects with a panel, allowing you to configure it from anywhere. The configuration is available at the web browser level, and all you need is an Internet connection. The software is connected to a panel, so you do not need to worry about security. The best part is that it is completely customizable, allowing your staff to customize it to suit their needs. It also gives you the flexibility to set different settings for different departments.
A web help desk connects to a panel for easy monitoring and management. Its web browser is the main interface, which allows users to configure the system to their liking. Most of the software will also work with your existing IT department, so you can focus on improving the customer experience. However, there are some limitations to using a cloud-based software. A cloud-based application allows for customization and is available at all times. The system is accessible from any computer, which is a great feature if you have a limited amount of staff.
A web help desk can be connected to a panel. Depending on your needs, a web help desk can be connected to an email system. The main benefit is that you can automate the entire customer support process through the use of a website. This helps your employees to be more efficient and productive. You can automate the process and track assets, ensuring that it is easy to solve problems and improve the quality of service.