ID VU:294272 Type cert Reporter CERT Modified 2016-08-16T13:59:00
Description
Overview
ReadyDesk, version 9.1 and possibly others, contains SQL injection, path traversal, hard-coded cryptographic key, and arbitrary file upload vulnerabilities that may be leveraged to expose sensitive data and execute arbitrary code in the context of the vulnerable software.
Description
ReadyDesk is a help desk ticketing web application designed to facilitate business internal or business to customer interactions.
CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') - CVE-2016-5048
The user name field of http://<IP>/readydesk/chat/staff/default.aspx fails to properly escape single quote characters, or ', provided as field input. Through error-based, blind SQL injection attacks, a remote, unauthenticated attacker may obtain full database contents, including user passwords which are stored as SHA1 hashes.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CVE-2016-5049
The SESID parameter of requests to http://<IP>/readydesk/chat/openattach.aspx is vulnerable to directory traversal and may be exploited to read arbitrary files on affected systems when combined with the FNAME parameter. For instance, to download SQL_Config.aspx, an attacker would make a request to:
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2016-5683
SQL Server user credentials stored in SQL_Config.aspx are encrypted using a hard-coded cryptographic key found in ReadyDesk.dll. An attacker capable of obtaining the encrypted password can easily decrypt it for use in further attacks.
CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2016-5050
Files uploaded via http://<IP>/readydesk/chat/sendfile.aspx are not properly validated, allowing for arbitrary upload of files with a dangerous type. A remote, unauthenticated attacker could execute arbitrary code by uploading and making a request to a specially crafted aspx page.
The CVE score below describes CVE-2016-5050.
Impact
A remote, unauthenticated attacker can obtain sensitive database information, read arbitrary files, and execute arbitrary code in the context of the vulnerable software.
Solution
The CERT/CC is currently unaware of a practical solution to these problems. A vendor advisory for version 9.2 states that it contains "Critical Security Updates," though details are not provided and it is unknown whether any of the vulnerabilities described above are addressed.
Vendor Information
294272
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
ReadyDesk Affected
Notified: June 20, 2016 Updated: August 09, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
{"id": "VU:294272", "type": "cert", "bulletinFamily": "info", "title": "ReadyDesk contains multiple vulnerabilities", "description": "### Overview \n\nReadyDesk, version 9.1 and possibly others, contains SQL injection, path traversal, hard-coded cryptographic key, and arbitrary file upload vulnerabilities that may be leveraged to expose sensitive data and execute arbitrary code in the context of the vulnerable software.\n\n### Description \n\n[ReadyDesk](<http://www.readydesk.com/>) is a help desk ticketing web application designed to facilitate business internal or business to customer interactions.\n\n[**CWE-89**](<https://cwe.mitre.org/data/definitions/89.html>)**: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') -** CVE-2016-5048 \n \nThe user name field of `http://<IP>/readydesk/chat/staff/default.aspx` fails to properly escape single quote characters, or `'`, provided as field input. Through error-based, blind SQL injection attacks, a remote, unauthenticated attacker may obtain full database contents, including user passwords which are stored as SHA1 hashes. \n \n[**CWE-22**](<https://cwe.mitre.org/data/definitions/22.html>)**: Improper Limitation of a Pathname to a Restricted Directory -** CVE-2016-5049 \n \nThe `SESID` parameter of requests to `http://<IP>/readydesk/chat/openattach.aspx` is vulnerable to directory traversal and may be exploited to read arbitrary files on affected systems when combined with the `FNAME` parameter. For instance, to download `SQL_Config.aspx`, an attacker would make a request to: \n \n`http://<IP>/readydesk/chat/openattach.aspx?SESID=..\\..\\hd\\data&FNAME=SQL_Config.aspx` \n \n[**CWE-321**](<https://cwe.mitre.org/data/definitions/321.html>)**: Use of Hard-coded Cryptographic Key - **CVE-2016-5683 \n \nSQL Server user credentials stored in `SQL_Config.aspx` are encrypted using a hard-coded cryptographic key found in `ReadyDesk.dll`. An attacker capable of obtaining the encrypted password can easily decrypt it for use in further attacks. \n \n[**CWE-434**](<https://cwe.mitre.org/data/definitions/434.html>)**: Unrestricted Upload of File with Dangerous Type -** CVE-2016-5050 \n \nFiles uploaded via `http://<IP>/readydesk/chat/sendfile.aspx` are not properly validated, allowing for arbitrary upload of files with a dangerous type. A remote, unauthenticated attacker could execute arbitrary code by uploading and making a request to a specially crafted aspx page. \n \nThe CVE score below describes CVE-2016-5050. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker can obtain sensitive database information, read arbitrary files, and execute arbitrary code in the context of the vulnerable software. \n \n--- \n \n### Solution \n\nThe CERT/CC is currently unaware of a practical solution to these problems. A vendor [advisory for version 9.2](<http://readydesk.com/news.asp?ID=88>) states that it contains \"Critical Security Updates,\" though details are not provided and it is unknown whether any of the vulnerabilities described above are addressed. \n \n--- \n \n### Vendor Information\n\n294272\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### ReadyDesk Affected\n\nNotified: June 20, 2016 Updated: August 09, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 6.4 | E:POC/RL:U/RC:UR \nEnvironmental | 4.8 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://www.readydesk.com/>\n * <https://cwe.mitre.org/data/definitions/89.html>\n * <https://cwe.mitre.org/data/definitions/22.html>\n * <https://cwe.mitre.org/data/definitions/321.html>\n * <https://cwe.mitre.org/data/definitions/434.html>\n\n### Acknowledgements\n\nThanks to Andrew Tierney of Pen Test Partners for reporting these vulnerabilities.\n\nThis document was written by Joel Land.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2016-5048](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-5048>), [CVE-2016-5049](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-5049>), [CVE-2016-5683](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-5683>), [CVE-2016-5050](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-5050>) \n---|--- \n**Date Public:** | 2016-08-16 \n**Date First Published:** | 2016-08-16 \n**Date Last Updated: ** | 2016-08-16 13:59 UTC \n**Document Revision: ** | 21 \n", "published": "2016-08-16T00:00:00", "modified": "2016-08-16T13:59:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.kb.cert.org/vuls/id/294272", "reporter": "CERT", "references": ["http://www.readydesk.com/", "https://cwe.mitre.org/data/definitions/89.html", "https://cwe.mitre.org/data/definitions/22.html", "https://cwe.mitre.org/data/definitions/321.html", "https://cwe.mitre.org/data/definitions/434.html"], "cvelist": ["CVE-2016-5048", "CVE-2016-5049", "CVE-2016-5050", "CVE-2016-5683"], "lastseen": "2020-09-18T20:40:59", "viewCount": 3, "enchantments": {"score": {"value": 6.7, "vector": "NONE", "modified": "2020-09-18T20:40:59", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-5048", "CVE-2016-5049", "CVE-2016-5683", "CVE-2016-5050"]}], "modified": "2020-09-18T20:40:59", "rev": 2}, "vulnersScore": 6.7}, "immutableFields": []}
