CVE-2015-2993
published 2015-06-08CVE-2015-2993: SysAid Help Desk before 15.2 does not properly restrict access to certain functionality, which allows remote attackers to (1) create administrator accounts via…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
55.36%
98.9th percentile
SysAid Help Desk before 15.2 does not properly restrict access to certain functionality, which allows remote attackers to (1) create administrator accounts via a crafted request to /createnewaccount or (2) write to arbitrary files via the fileName parameter to /userentry.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sysaid | sysaid | <= 15.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST/GET requests to the /createnewaccount endpoint on SysAid Help Desk instances, which should not be publicly accessible and indicates an attempt to create a rogue administrator account. ↗
- →Monitor for unauthenticated requests to /userentry containing a 'fileName' parameter, which may indicate an arbitrary file write attempt. ↗
- →The exploit only works once per target; a single successful request to /createnewaccount from an unauthenticated source is sufficient to indicate full compromise. Alert on any unauthenticated access to this endpoint. ↗
- →Exploitation has been confirmed on SysAid versions 14.4 on both Windows and Linux platforms; prioritize detection on these OS environments running SysAid prior to 15.2. ↗
- ·The admin account creation exploit is a one-shot attack per target instance; repeated attempts will fail, meaning a single anomalous unauthenticated request to /createnewaccount is the only detectable window. ↗
- ·Created administrator credentials must be verified manually after exploitation; automated confirmation of successful account creation is not built into the attack module. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SysAid Help Desk 14.4 - Multiple Vulnerabilities
exploitdb·2015-06-10·CVSS 7.5
CVE-2015-3001 [HIGH] SysAid Help Desk 14.4 - Multiple Vulnerabilities
SysAid Help Desk 14.4 - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in SysAid Help Desk 14.4
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 03/06/2015 / Last updated: 10/06/2015
>> Background on the affected product:
"SysAid is an ITSM solution that offers all the essentials, with everything you need for easy and efficient IT support and effective help desk operations. Its rich set of features includes a powerful service desk, asset management and discovery, self-service, and easy-to-use tools for understanding and optimizing IT performance."
Metasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been released and should be integrated in the Metasploit framework soon.
All vulnerabilities affect both the Windows and Linux v
Metasploit
SysAid Help Desk Administrator Account Creation
metasploit
SysAid Help Desk Administrator Account Creation
SysAid Help Desk Administrator Account Creation
This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated user to create an administrator account. Note that this exploit will only work once. Any subsequent attempts will fail. On the other hand, the credentials must be verified manually. This module has been tested on SysAid 14.4 in Windows and Linux.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jun/8http://www.securityfocus.com/archive/1/535679/100/0/threadedhttp://www.securityfocus.com/bid/75038https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-deskhttp://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jun/8http://www.securityfocus.com/archive/1/535679/100/0/threadedhttp://www.securityfocus.com/bid/75038https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk
2015-06-08
Published