We identified the solution on the network front-end, and tried to find details about associated vulnerabilities in public resources. But we found nothing. To decrease impact to testing network, we used vendor’s evaluation version for further research.
We installed the system on our testing machine and detected several vulnerabilities via fazzing and manual analysis (http://www.ptsecurity.ru/advisory1.aspx):
– Arbitrary command execution in ManageEngine ServiceDesk Plus 8.0.0
– Information disclosure in ManageEngine ServiceDesk Plus 8.0.0
– Root path traversal in ManageEngine ServiceDesk Plus 8.0.0
According to PT disclosure policy, we prepared and sent appropriate messages to the vendor. As one of the vulnerabilities was described 23th June, 2011 on popular resource exploit-db.com (ManageEngine Service Desk Plus 8.0 Directory Traversal Vulnerability), Positive Research Team published its details.
The vulnerability is found in FileDownload.jsp script and allows users to load files from remote servers. The vulnerability allows attackers to conduct path traversal attack and get contents of the file located outside ServiceDesk web directory. The vulnerability is especially dangerous, as unauthorized users have access to FileDownload.jsp script functions. Distribution kits for different OSes are vulnerable. In OS Windows, an attacker can get any file from the system logical disk. For Unix-like systems, an attacker can get any file if the user who started the application has rights to read.
The vulnerability was used in penetration testing to read ManageEngine ServiceDesk backup files.
As any enterprise-level application, ManageEngine ServiceDesk has backup feature (according to ITIL principles;)).
According to the system’s purpose, it’s easy to understand that backup copies include a lot of sensitive data such as identifiers and user passwords for LDAP/Active Directory/network de vices, SNMP Community Strings, etc.
We analyze backup architecture implemented in ManageEngine ServiceDesk and found out that backup files are stored in /backup/ folder and have names like \’database_DD_MM_YYYY_HH_MM.data\’ for data backup copy and its content, and fullbackup_DD_MM_YYYY_HH_MM.data for backup copy with user files.
The simplest way to conduct the attack is bruteforce, but we chose another method. More efficient method – ManageEngine system log analysis was chosen to save electric power (yes, we are Greene peace followers). We quickly find details about backup procedure in the received files. Below you can find exploit that allows you to conduct the attack.
The Directory Traversal Vulnerability is fixed in ManageEngine ServiceDesk 8_0_0_SP-0_12_0 that is available on the vendor’s site (http://www.manageengine.com/products/service-desk/). Vendor plans to fix other vulnerabilities soon.