what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine Shell Upload / Directory Traversal

ManageEngine Shell Upload / Directory Traversal
Posted Jan 5, 2015
Authored by Pedro Ribeiro

ManageEngine products Service Desk Plus, Asset Explorer, Support Center, and IT360 suffer from file upload and directory traversal vulnerabilities.

tags | exploit, vulnerability, file inclusion, file upload
advisories | CVE-2014-5301, CVE-2014-5302
SHA-256 | b54ee8abb80c4bd0609677cf861ed3705c479b3f720f286b5441144adbe04dd3

ManageEngine Shell Upload / Directory Traversal

Change Mirror Download

This is part 11 of the ManageOwnage series. For previous parts, see [1].

This time we have two remote code execution via file upload (and
directory traversal) on several ManageEngine products - Service Desk
Plus, Asset Explorer, Support Center and IT360.

The first vulnerability can only be exploited by an authenticated
user, but it can be a low privileged guest (which is a default account
present in almost all installations). This vulnerability can be abused
to drop an EAR file in the JBOSS directory which gets deployed
automatically, giving code execution as SYSTEM / root.

The second vulnerability allows you to perform an unauthenticated
upload to anywhere in the file system with SYSTEM / root privileges.
However only text files are handled correctly, as the servlet mangles
binary files.

Given the prevalence of guest / low privileged / default accounts in
these products, the first vulnerability is by far the most
interesting. I've released a Metasploit module which exploits it for
all products. It should hopefully be integrated soon into Metasploit

The full text of the advisory is below, and a copy can be obtained in
my PoC repo [3].



>> Remote code execution / file upload in ManageEngine ServiceDesk Plus, AssetExplorer, SupportCenter Plus and IT360
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
Disclosure: 04/01/2015 / Last updated: 04/01/2015

>> Background on the affected products:
"ServiceDesk Plus is a help desk software with integrated asset and
project management built on the ITIL framework. It is available in 29
different languages and is used by more than 85,000 companies, across
186 countries, to manage their IT help desk and assets."

"SupportCenter Plus is a web-based customer support software that lets
organizations effectively manage customer tickets, their account &
contact information, the service contracts and in the process
providing a superior customer experience."

"ManageEngine AssetExplorer is a web-based IT Asset Management (ITAM)
software that helps you monitor and manage assets in your network from
Planning phase to Disposal phase. AssetExplorer provides you with a
number of ways to ensure discovery of all the assets in your network."

"Managing mission critical business applications is now made easy
through ManageEngine IT360. With agentless monitoring methodology,
monitor your applications, servers and databases with ease. Agentless
monitoring of your business applications enables you high ROI and low
TOC. With integrated network monitoring and bandwidth utilization,
quickly troubleshoot any performance related issue with your network
and assign issues automatically with ITIL based ServiceDesk

>> Technical details:
Vulnerability: Remote code execution via file upload and directory
traversal (authenticated)
Constraints: user login needed, but exploitable with the default low
privilege guest account (u:guest/p:guest)
Affected versions (inclusive): ServiceDesk Plus / Plus MSP v5 to v9.0
v9030; AssetExplorer v4 to v6.1; SupportCenter v5 to v7.9; IT360 v8 to

POST /common/FileAttachment.jsp
POST /workorder/Attachment.jsp (older versions < v7 build 7016;
AssetExplorer v4; all SupportCenter versions)

It is possible to abuse a directory traversal vulnerability when
uploading attachments. A Metasploit module that exploits this
vulnerability has been released.
Post data has to be formatted as a multi-part request with an embedded
ear file. Below is the form data for the newer versions:

Content-Type: multipart/form-data;
Content-Length: 1337

Content-Disposition: form-data; name="module"

Content-Disposition: form-data; name="filePath"; filename="whatever.ear"
Content-Type: application/octet-stream

<...EAR file here...>

Content-Disposition: form-data; name="att_desc"


Vulnerability: Remote code execution via file upload (unauthenticated)
Constraints: no authentication or any other information needed except
for IT360 (guest account needed); code execution is only possible by
replacing one of the <install_dir>bin/ scripts and waiting for them to
be executed or for a periodic task to run. This is because only text
files can be uploaded as binary files are mangled; and there no JSP
compiler in the $PATH.
Affected versions: ServiceDesk Plus / Plus MSP v7.6 to v9.0 build
9026; AssetExplorer v? to v6.1 build 6106; IT360 v? to v10.4

POST /discoveryServlet/WsDiscoveryServlet?computerName=../bin/run.bat%00
POST /discoveryServlet/WsDiscoveryServlet?computerName=../bin/backUpData.bat%00
<...text file / script payload here...>

>> Fix:
#1 is fixed on ServiceDesk Plus 9.0 build 9031. It is UNFIXED on all
other products. Disclosure to ManageEngine was done on 04/08/2014, so
over 150 days have elapsed. The last communication I received from
them was that "Once we released this fix in ServiceDesk plus, we
eventually take this in other products like AssetExplorer and

#2 is fixed on ServiceDesk Plus 9.0 build 9027 and on AssetExplorer
6.1 build 6107. It is UNFIXED for IT360.



Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By