| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEDdjHeVqNLCAtRoLwZWzNgyYduc52skx=ZLSYJREuQpiKpvNg@mail.gmail.com> Date: Tue, 6 Jan 2015 22:56:40 +0000 From: Pedro Ribeiro <pedrib@...il.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] [The ManageOwnage Series, part XI]: Remote code execution in ServiceDesk, Asset Explorer, Support Center and IT360 On 4 January 2015 at 17:19, Pedro Ribeiro <pedrib@...il.com> wrote: > #2 > Vulnerability: Remote code execution via file upload (unauthenticated) > CVE-2014-5302 > Constraints: no authentication or any other information needed except > for IT360 (guest account needed); code execution is only possible by > replacing one of the <install_dir>bin/ scripts and waiting for them to > be executed or for a periodic task to run. This is because only text > files can be uploaded as binary files are mangled; and there no JSP > compiler in the $PATH. > Affected versions: ServiceDesk Plus / Plus MSP v7.6 to v9.0 build > 9026; AssetExplorer v? to v6.1 build 6106; IT360 v? to v10.4 > > POST /discoveryServlet/WsDiscoveryServlet?computerName=../bin/run.bat%00 > POST /discoveryServlet/WsDiscoveryServlet?computerName=../bin/backUpData.bat%00 > <...text file / script payload here...> > Someone has asked me how CVE-2014-5302 can be exploited. There are 3 things you got to have in mind: 1 - send a null byte (%00) after the file name 2 - send the request as mime type application/octet-stream 3 - send only ASCII data in the request body Unfortunately it's not as trivial as uploading an ASCII webshell to the web root. Because of the way these applications are packaged, the JSP compiler is not set automatically in the PATH/classpath. However, if you are lucky, the JSP compiler already exists in the PATH/classpath because of some other application. Therefore in order to exploit this vulnerability you need to come up with some clever way like overwriting the run.bat file, uploading a new /etc/shadow, etc. Note that these apps always run as SYSTEM under Windows, but they may not run as root in Linux - it depends how they were installed. Regards, Pedro _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists