Bugtraq mailing list archives
[ZDI-15-396] ManageEngine ServiceDesk Plus remote code execution
From: Pedro Ribeiro <pedrib () gmail com>
Date: Fri, 02 Oct 2015 16:08:40 +0100
Hi, Yet another RCE bug in ManageEngine ServiceDesk. This was disclosed by ZDI under ID ZDI-15-396 on August 20th, and fixed in version 9103 [1]. Details below, full advisory can be obtained from my repo at [E2]. A Metasploit module that exploits this vulnerability has been submitted upstream in [E3]. Regards, Pedro Ribeiro Founder & Director of Research Agile Information Security [E1] http://zerodayinitiative.com/advisories/ZDI-15-396/ [E2] https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ManageEngine/me_sd_file_upload_2.txt [E3] https://github.com/rapid7/metasploit-framework/pull/6038
Remote code execution / arbitrary file upload in ManageEngine
ServiceDesk Plus
Discovered by Pedro Ribeiro (pedrib () gmail com), Agile Information
Security ========================================================================== Disclosure: 20/08/2015 / Last updated: 02/10/2015
Background on the affected products:
"ServiceDesk Plus is a help desk software with integrated asset and project management built on the ITIL framework. It is available in 29 different languages and is used by more than 85,000 companies, across 186 countries, to manage their IT help desk and assets." A special thanks to ZDI for assisting with the vulnerability reporting process. This vulnerability was disclosed by ZDI under ID ZDI-15-396 [1].
Technical details:
Vulnerability: Remote code execution via file upload (unauthenticated) Constraints: no authentication or any other information needed Affected versions: ServiceDesk Plus v9 build 9000 to build 9103; MSP versions are NOT vulnerable POST /whatever.up?uniqueId=1337&module=../../server/default/deploy&qqfile=bla.ear <...EAR file payload here...> The EAR file will be deployed to the JBOSS server with the code, servlet, etc. A Metasploit module that exploits this vulnerability has been released.
Fix:
Upgrade to build 9103 or above.
References:
[1] http://zerodayinitiative.com/advisories/ZDI-15-396/ ================ Agile Information Security Limited http://www.agileinfosec.co.uk/
Enabling secure digital business >>
Current thread:
- [ZDI-15-396] ManageEngine ServiceDesk Plus remote code execution Pedro Ribeiro (Oct 05)