Zammad Helpdesk: Zero-Day-Vulnerability

by Erik Kipka, Consultant

During a security test at one of our customers, we came across a web application that had integrated helpdesk software. There, we identified a critical zero-day vulnerability, which was because Zammad did not correctly perform authorization for certain attachment endpoints. This would allow an unauthenticated attacker to gain access to all attachments — such as pictures, emails or otherwise attached files. In this blog post, we describe how the vulnerability was identified and exploited, as well as what caused it.

~3 min reading time

  1. Background knowledge
  2. Mapping the Attack Surface
  3. Exploiting the Vulnerability (Dumping Everything)
  4. Identifying the Source of the Vulnerability & Mitigation
  5. Vendor Response

1. Background knowledge

Many companies use some type of helpdesk. That is used by companies to cover support requests both in-house and for end users. We show how the zero-day vulnerability was identified during our security audit and the extent to which exploitation of this vulnerability would result.

2. Mapping the Attack Surface

Zammad is usually protected by authentication that prevents unauthorized user from viewing its contents. In some cases, however, authentication is not required for certain content; for example, the helpdesk logo loaded on the main page must also be available for unauthenticated users. During testing, we were able to identify several different endpoints in the application that were accessible to an unauthenticated user. Among them were those that could be freely accessed through the application’s API path. Any user could interact with the “get attachment” call through the endpoint /api/v1/attachments/:id. We also noticed that the API path requires an ID to access the ticket attachments. Since the IDs are numeric and consecutive, this allowed us to create a complete data dump of the ticket attachments. The vulnerability allows an unauthenticated user to download the helpdesk software’s ticket attachments and view its contents. As a result, an attacker can perform more advanced attacks using the information from the attachments. Therefore, we were able to obtain internal information about the customer’s infrastructure, as well as user credentials and employee email addresses.
Potential attack vectors in this case would be social engineering attacks such as phishing, or bypassing authentication procedures using the credentials identified in the attachments.

3. Exploiting the Vulnerability (Dumping Everything)

The following snippet shows the exploit that made it possible to dump the ticket attachments. The exploit consists of a loop that processes all sequence numbers from 1 to 1,000,000, calling ticket attachments. A complete dump of the attachments could be created over it.

#!/bin/sh

for i in $(seq 1 1000000)
do
    wget "https://target.zammad.com/api/v1/attachments/$i"
done

4. Identifying the Source of the Vulnerability & Mitigation

The next step was to develop a corresponding mitigation for the identified security vulnerability. For this purpose, the source code of the open source software was analyzed. The code responsible for the leak was identified in the file /app/controllers/attachments_controller.rb. After successfully submitting all the information, the developers worked on the bug fix and developed an appropriate security patch.

The security patch now ensures that a non-authenticated user is no longer able to call the attachments of the Zammad Help-Desk application.

5. Vendor Response

The vulnerability was immediately reported by our consultants to the provider of the helpdesk software on June 24, 2022. The vendor patched the vulnerability on July 5, 2022 (version 5.2.1).

For the ones who are interested, this is their Git commit which fixes the vulnerability.

The publication of the vulnerability can be found at Zammad’s advisories page.