ManageEngine ServiceDesk Plus 9.0 Privilege Escalation

2015-01-23T00:00:00
ID PACKETSTORM:130081
Type packetstorm
Reporter Muhammed Ahmed Siddiqui
Modified 2015-01-23T00:00:00

Description

                                        
                                            `================================================================================  
[REWTERZ-20140103] - Rewterz - Security Advisory  
================================================================================  
  
Title: ManageEngine ServiceDesk Plus User Privileges Management Vulnerability  
Product: ServiceDesk Plus (http://www.manageengine.com/)  
Affected Version: 9.0 (Other versions could also be affected)  
Fixed Version: 9.0 Build 9031  
Vulnerability Impact: Low  
Advisory ID: REWTERZ-20140103  
Published Date: 22-Jan-2015  
Researcher: Muhammad Ahmed Siddiqui  
Email: ahmed [at] rewterz.com  
URL: http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-plus-user-privileges-management-vulnerability  
  
================================================================================  
  
  
Product Introduction  
===============  
  
ServiceDesk Plus is a help desk software with integrated asset and  
project management built on the ITIL framework. It is available in 29  
different languages and is used by more than 85,000 companies, across  
186 countries, to manage their IT help desk and assets.  
  
  
Source: http://www.manageengine.com/products/service-desk/  
  
  
Vulnerability Information  
===================  
  
Class: Improper Privilege Management  
Impact: Low privileged user can access application data  
Remotely Exploitable: Yes  
Authentication Required: Yes  
User interaction required: Yes  
CVE Name: N/A  
  
  
Vulnerability Description  
==================  
  
A user with limited privileges could gain access to certain  
functionality that is available only to administrative users. For  
example, users with Guest privileges can see the subjects of the  
tickets, stats and other information related to tickets.  
  
  
Proof-of-Concept  
=============  
  
http://127.0.0.1:8080/servlet/AJaxServlet?action=getTicketData&search=dateCrit  
  
http://127.0.0.1:8080/swf/flashreport.swf  
  
http://127.0.0.1:8080/reports/flash/details.jsp?group=Site  
  
http://127.0.0.1:8080/reports/CreateReportTable.jsp?site=0  
  
  
  
Timeline  
======  
  
23-Dec-2014 – Notification to Vendor  
24-Dec-2014 – Response from Vendor  
30-Dec-2014 – Vulnerability fixed by Vendor  
  
  
About Rewterz  
===========  
  
Rewterz is a boutique Information Security company, committed to  
consistently providing world class professional security services. Our  
strategy revolves around the need to provide round-the-clock quality  
information security services and solutions to our customers. We  
maintain this standard through our highly skilled and professional  
team, and custom-designed, customer-centric services and products.  
  
http://www.rewterz.com  
  
  
Complete list of vulnerability advisories published by Rewterz:  
  
http://www.rewterz.com/resources/security-advisories  
`