lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 02 Oct 2015 16:08:40 +0100
From: Pedro Ribeiro <pedrib@...il.com>
To: "\"fulldisclosure@...lists.org\" <fulldisclosure@...lists.org>; bugtraq" <bugtraq@...urityfocus.com>
Subject: [ZDI-15-396] ManageEngine ServiceDesk Plus remote code execution

Hi,

Yet another RCE bug in ManageEngine ServiceDesk.
This was disclosed by ZDI under ID ZDI-15-396 on August 20th, and fixed
in version 9103 [1].

Details below, full advisory can be obtained from my repo at [E2].
A Metasploit module that exploits this vulnerability has been submitted
upstream in [E3].

Regards,

Pedro Ribeiro
Founder & Director of Research
Agile Information Security

[E1] http://zerodayinitiative.com/advisories/ZDI-15-396/
[E2]
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ManageEngine/me_sd_file_upload_2.txt
[E3] https://github.com/rapid7/metasploit-framework/pull/6038


>> Remote code execution / arbitrary file upload in ManageEngine
ServiceDesk Plus
>> Discovered by Pedro Ribeiro (pedrib@...il.com), Agile Information
Security
==========================================================================
Disclosure: 20/08/2015 / Last updated: 02/10/2015

>> Background on the affected products:
"ServiceDesk Plus is a help desk software with integrated asset and
project management built on the ITIL framework. It is available in 29
different languages and is used by more than 85,000 companies, across
186 countries, to manage their IT help desk and assets."

A special thanks to ZDI for assisting with the vulnerability reporting
process.
This vulnerability was disclosed by ZDI under ID ZDI-15-396 [1].


>> Technical details:
Vulnerability: Remote code execution via file upload (unauthenticated)
Constraints: no authentication or any other information needed
Affected versions: ServiceDesk Plus v9 build 9000 to build 9103; MSP
versions are NOT vulnerable

POST
/whatever.up?uniqueId=1337&module=../../server/default/deploy&qqfile=bla.ear
<...EAR file payload here...>

The EAR file will be deployed to the JBOSS server with the code,
servlet, etc.
A Metasploit module that exploits this vulnerability has been released.


>> Fix:
Upgrade to build 9103 or above.


>> References:
[1] http://zerodayinitiative.com/advisories/ZDI-15-396/

================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ