lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAEDdjHeVqNLCAtRoLwZWzNgyYduc52skx=ZLSYJREuQpiKpvNg@mail.gmail.com>
Date: Tue, 6 Jan 2015 22:56:40 +0000
From: Pedro Ribeiro <pedrib@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] [The ManageOwnage Series,
 part XI]: Remote code execution in ServiceDesk, Asset Explorer,
 Support Center and IT360

On 4 January 2015 at 17:19, Pedro Ribeiro <pedrib@...il.com> wrote:
> #2
> Vulnerability: Remote code execution via file upload (unauthenticated)
> CVE-2014-5302
> Constraints: no authentication or any other information needed except
> for IT360 (guest account needed); code execution is only possible by
> replacing one of the <install_dir>bin/ scripts and waiting for them to
> be executed or for a periodic task to run. This is because only text
> files can be uploaded as binary files are mangled; and there no JSP
> compiler in the $PATH.
> Affected versions: ServiceDesk Plus / Plus MSP v7.6 to v9.0 build
> 9026; AssetExplorer v? to v6.1 build 6106; IT360 v? to v10.4
>
> POST /discoveryServlet/WsDiscoveryServlet?computerName=../bin/run.bat%00
> POST /discoveryServlet/WsDiscoveryServlet?computerName=../bin/backUpData.bat%00
> <...text file / script payload here...>
>

Someone has asked me how CVE-2014-5302 can be exploited.

There are 3 things you got to have in mind:
1 - send a null byte (%00) after the file name
2 - send the request as mime type application/octet-stream
3 - send only ASCII data in the request body

Unfortunately it's not as trivial as uploading an ASCII webshell to
the web root. Because of the way these applications are packaged, the
JSP compiler is not set automatically in the PATH/classpath. However,
if you are lucky, the JSP compiler already exists in the
PATH/classpath because of some other application.

Therefore in order to exploit this vulnerability you need to come up
with some clever way like overwriting the run.bat file, uploading a
new /etc/shadow, etc. Note that these apps always run as SYSTEM under
Windows, but they may not run as root in Linux - it depends how they
were installed.

Regards,
Pedro

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists