Higher Ed ERP Portal Vulnerability (Part III)
tl;dr: Vulnerability in Jenzabar JICS (all unpatched versions), a Higher Ed ERP portal used by numerous small-to-medium sized colleges/universities, that allows anyone to create local portal users.
While reviewing the Jenzabar JICS (Jenzabar Internet Campus Solution) portal, I stumbled across the following page: https://my.domain.edu/ICS/StaticPages/AddTestUsers.aspx
It’s an unauthenticated page available on default installs of all Jenzabar JICS versions that lets any anonymous user on the Internet hit the URL and create active portal accounts. It has one form on the page with two fields: an input box for the username and an input box for the number of users you want. Upon submission with the “Create Test Users” button, portal users are created with the following format: Test1, Test2, Test3 if the entered prefix was “Test” and the number entered was “3”. If the number entered is “1” and the prefix is “Provost,” one portal account will be created called “Provost1.”
The created users all have the same, hard-coded, easily guessable default password for every user (“1234”). Although the new accounts are rather locked down, I could create a UniversityPresident1 account on that page, host a third-party RSS feed with a phishing form, and email it out to look legitimate from a known internal URL. Not to mention it exposes the moxman file browser through the MCE boxes, and makes my previously disclosed web shell vulnerability in this same product available even to users who didn’t previously have credentials to login for exploitation.
Let me state that again: if a college/university is running an affected version of Jenzabar JICS, this vulnerability stacked with the previous one I linked above allows unauthenticated remote privilege escalation to root/admin on that university’s SIS portal server. Once in, it’s trivial to exfiltrate data on all constituents of whom the university has record. To my knowledge, the vendor hotfix doesn’t change the version number of the product.
Remove the AddTestUsers.aspx from your portal server. There’s absolutely no reason it should be there as best I can tell. I hypothesize it is an inadvertently leftover remnant from development.
Additionally, the vendor has released patches/guidance on their listserv for registered customers.
2019-Feb-06: Vendor confirmed that patches have been issued
2018-Nov-26: Disclosed to Vendor
2019-Mar-24: CVE-2019–10011 issued for this vuln