Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload

2019.02.20

Credit: Dao Duy Hung

Risk: High

Local: No

Remote: Yes

CVE: CVE-2019-8394

CWE: CWE-264

CVSS Base Score: 4/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8/10

Exploit range: Remote

Attack complexity: Low

Authentication: Single time

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

# Exploit Title: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 - arbitrary file upload
# Date: 18-02-2019
# Exploit Author: Dao Duy Hung (duyhungattt@gmail.com)
# Vendor Homepage: https://www.manageengine.com/products/service-desk/
# Software Link: https://www.manageengine.com/products/service-desk/download.html?opDownload_indexbnr
# Version: 9.4 and 10.0 before 10.0 build 10012
# Tested on: SDP 10.0 build 10000
# CVE : CVE-2019-8394
Detail:
In file common/FileAttachment.jsp line 332 only check file upload extension when parameter 'module' equal to 'SSP' or 'DashBoard' or 'HomePage', and if parameter 'module' is set to 'CustomLogin' will skip check file upload extension function and upload arbitrary file to folder '/custom/login' and this file can access directly from url 'host:port/custom/login/filename' . An authenticated user with minimum permission (ex: guest) can upload webshell to server.
POST /common/FileAttachment.jsp?module=CustomLogin&view=Dashboard1 HTTP/1.1
Host: localhost:8080
Content-Length: 50

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.