ManageEngine ServiceDesk Plus: Arbitrary File Upload

Introduction

This article is a write up on how I found my second critical vulnerability at the company’s internal bounty program.

I wrote this for educational purposes only. Do not perform any illegal activity or pen-testing without permission.

Vulnerability exploitation

After a bunch of enumerations and information gathering on subdomains. I found an interesting subdomain that uses ManageEngine ServiceDesk Plus, which have lots of potential security risk.
A few minutes in, I discovered a way to get RCE on this subdomain. This method required an authenticated user to send a POST request to a vulnerable endpoint. (CVE-2019–8394).

2020 solving 2020 problems

In file common/FileAttachment.jsp line 332 only check file upload extension when parameter ‘module’ equal to ‘SSP’ or ‘DashBoard’ or ‘HomePage’, and if parameter ‘module’ is set to ‘CustomLogin’ will skip check file upload extension function and upload arbitrary file to folder ‘/custom/login’ and this file can access directly from url ‘host:port/custom/login/filename’ . An authenticated user with minimum permission (ex: guest) can upload webshell to server.

So the first thing is to acquire an account (don’t care about the privileges). Rolled the dices and found the simplest account credentials of all time. This made me remembered about my first bug bounty case for V* with admin:admin credentials, easy money easy life.

admin:admin

Got the account, let’s dive into the process of gaining RCE

The first step is to authenticate to access the application with guest credentials, then the server will send a response with cookie parameters.

After that, take the cookie parameters and webshell content and put them in sections showed in the image below (I got the webshell from this repo)

Notes: Edit your webshell content to have no newlines (spaces are ok), I struggled for half an hour to get my shell run properly.

The server send me an 200 OK response. Go check the path

/custom/login/{your_shell_name}.jsp

Thank god the shell popped up. I can execute arbitrary code on the web server from now on!

First time RCE on Window
Corona Quarantine List?

Conclusion

  • Always keep your application up-to-date to mitigate security issues.
  • Keep trying, there’s still a light at the end of the tunnel xD

References

https://github.com/SecurityRiskAdvisors/cmd.jsp

Currently studying Computer Science at University of Engineering & Technology — VNU. Working as an intern at VSEC. Love CTF, website development and cybersec

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store