ReadyDesk contains multiple vulnerabilities

Overview

ReadyDesk, version 9.1 and possibly others, contains SQL injection, path traversal, hard-coded cryptographic key, and arbitrary file upload vulnerabilities that may be leveraged to expose sensitive data and execute arbitrary code in the context of the vulnerable software.

Description

ReadyDesk is a help desk ticketing web application designed to facilitate business internal or business to customer interactions.

CWE-89: Improper Neutralization of Special Elements used in a SQL Command (‘SQL Injection’) - CVE-2016-5048

The user name field of http://<IP>/readydesk/chat/staff/default.aspx fails to properly escape single quote characters, or ', provided as field input. Through error-based, blind SQL injection attacks, a remote, unauthenticated attacker may obtain full database contents, including user passwords which are stored as SHA1 hashes.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CVE-2016-5049

The SESID parameter of requests to http://<IP>/readydesk/chat/openattach.aspx is vulnerable to directory traversal and may be exploited to read arbitrary files on affected systems when combined with the FNAME parameter. For instance, to download SQL_Config.aspx, an attacker would make a request to:

http://<IP>/readydesk/chat/openattach.aspx?SESID=..\..\hd\data&FNAME=SQL_Config.aspx

CWE-321**: Use of Hard-coded Cryptographic Key -**CVE-2016-5683

SQL Server user credentials stored in SQL_Config.aspx are encrypted using a hard-coded cryptographic key found in ReadyDesk.dll. An attacker capable of obtaining the encrypted password can easily decrypt it for use in further attacks.

CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2016-5050

Files uploaded via http://<IP>/readydesk/chat/sendfile.aspx are not properly validated, allowing for arbitrary upload of files with a dangerous type. A remote, unauthenticated attacker could execute arbitrary code by uploading and making a request to a specially crafted aspx page.

The CVE score below describes CVE-2016-5050.

---

Impact

A remote, unauthenticated attacker can obtain sensitive database information, read arbitrary files, and execute arbitrary code in the context of the vulnerable software.

---

Solution

The CERT/CC is currently unaware of a practical solution to these problems. A vendor advisory for version 9.2 states that it contains “Critical Security Updates,” though details are not provided and it is unknown whether any of the vulnerabilities described above are addressed.

---

Vendor Information

294272

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

ReadyDesk Affected

Notified: June 20, 2016 Updated: August 09, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	6.4	E:POC/RL:U/RC:UR
Environmental	4.8	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <http://www.readydesk.com/&gt;
• <https://cwe.mitre.org/data/definitions/89.html&gt;
• <https://cwe.mitre.org/data/definitions/22.html&gt;
• <https://cwe.mitre.org/data/definitions/321.html&gt;
• <https://cwe.mitre.org/data/definitions/434.html&gt;

Acknowledgements

Thanks to Andrew Tierney of Pen Test Partners for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

CVE IDs:	CVE-2016-5048, CVE-2016-5049, CVE-2016-5683, CVE-2016-5050
Date Public:	2016-08-16 Date First Published: