Itarian

Product description

We, Hidde Smit and me (Wietse), have discovered multiple vulnerabilities within Itarian.

Vulnerabilities in the following products have been found:

  • ITarian SaaS platform
  • ITarian on-premise (version 6.35.37347.20040)
  • Endpoint Manager Communication Client (version 6.43.41148.21120)

ITarian is a Remote Monitoring and Management (RMM) software suite. It allows administrators to manage endpoints. Because of this powerful position within an organisation, RMM suites are often targeted by malicious actors.

Making initial contact with ITarian proved to be difficult. The vulnerabilities were discovered in December 2021. However, contact and subsequent fixes only started rolling out in May 2022.

Cross-Site Scripting in ITarian SaaS Service Desk module (ITarian SaaS platform)

In order to exploit this Cross-Site Scripting (XSS) vulnerability, the victim needs to enable the Service Desk module, which is not enabled by default.

The vulnerability can be exploited by visiting the victim’s Support Ticket System page as shown in the screenshot below.

Cookie reflected

There are two XSS vulnerabilities. One is present in the Email Address field and the other in the Full Name field.

The payload for Email Address is: "<script>alert(document.cookie)</script>"@something.somewhere

The payload for Full Name is: <script>alert(document.cookie)</script>

The Email Address payload triggers once an ITarian MSP user has opened the ticket contents as shown in the screenshot below, the ticket might also trigger if the user hovers over the ticket to preview the content.

XSS1 XSS2

Using this exploit technique, it is possible to steal the ‘OSTSESSID’ cookie and gain access to the ticketing system of the victim by visiting the direct URL, in this case: `https://newayas375.servicedesk.comodo.com/scp/tickets.php

The cookie ‘token’ can also be stolen, which is actually a SSO-token granting full access to the MSP dashboard without any credentials needed. This can be done by stealing the ‘token’ cookie through XSS as demonstrated above and placing it in the MSP URL as shown below: https://newayas375.cmdm.comodo.com/?sso-token=4412a307-38b3-4364-820e-b0f227a6b9fe

POC

CVE’s

The following CVE’s assigned to the on-prem version: