Lucene search

K

ManageEngine ServiceDesk File Upload / Code Execution

🗓️ 05 Oct 2015 00:00:00Reported by Pedro RibeiroType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 39 Views

ManageEngine ServiceDesk File Upload / Code Execution, RCE bug in version 910

Show more
Code
`Hi,  
  
Yet another RCE bug in ManageEngine ServiceDesk.  
This was disclosed by ZDI under ID ZDI-15-396 on August 20th, and fixed  
in version 9103 [1].  
  
Details below, full advisory can be obtained from my repo at [E2].  
A Metasploit module that exploits this vulnerability has been submitted  
upstream in [E3].  
  
Regards,  
  
Pedro Ribeiro  
Founder & Director of Research  
Agile Information Security  
  
[E1] http://zerodayinitiative.com/advisories/ZDI-15-396/  
[E2]  
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ManageEngine/me_sd_file_upload_2.txt  
[E3] https://github.com/rapid7/metasploit-framework/pull/6038  
  
  
>> Remote code execution / arbitrary file upload in ManageEngine  
ServiceDesk Plus  
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information  
Security  
==========================================================================  
Disclosure: 20/08/2015 / Last updated: 02/10/2015  
  
>> Background on the affected products:  
"ServiceDesk Plus is a help desk software with integrated asset and  
project management built on the ITIL framework. It is available in 29  
different languages and is used by more than 85,000 companies, across  
186 countries, to manage their IT help desk and assets."  
  
A special thanks to ZDI for assisting with the vulnerability reporting  
process.  
This vulnerability was disclosed by ZDI under ID ZDI-15-396 [1].  
  
  
>> Technical details:  
Vulnerability: Remote code execution via file upload (unauthenticated)  
Constraints: no authentication or any other information needed  
Affected versions: ServiceDesk Plus v9 build 9000 to build 9103; MSP  
versions are NOT vulnerable  
  
POST  
/whatever.up?uniqueId=1337&module=../../server/default/deploy&qqfile=bla.ear  
<...EAR file payload here...>  
  
The EAR file will be deployed to the JBOSS server with the code,  
servlet, etc.  
A Metasploit module that exploits this vulnerability has been released.  
  
  
>> Fix:  
Upgrade to build 9103 or above.  
  
  
>> References:  
[1] http://zerodayinitiative.com/advisories/ZDI-15-396/  
  
================  
Agile Information Security Limited  
http://www.agileinfosec.co.uk/  
>> Enabling secure digital business >>  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
05 Oct 2015 00:00Current
0.4Low risk
Vulners AI Score0.4
39
.json
Report