CVE-2015-2995
published 2015-06-08CVE-2015-2995: The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not properly check file extensions, which allows remote attackers to upload and execute arbitrary…
PriorityP260medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
33.79%
98.2th percentile
The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not properly check file extensions, which allows remote attackers to upload and execute arbitrary files via a NULL byte after the extension, as demonstrated by a .war%00 file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sysaid | sysaid | <= 15.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the RdsLogsEntry servlet path (/sysaid/rdslogs) — no authentication is required to upload files. ↗
- →Alert on POST requests to /sysaid/rdslogs containing a 'rdsName' query parameter with a null byte (\x00 / %00) in the filename, especially with a .war extension before the null byte. ↗
- →Detect path traversal sequences (e.g., '../../../../') in the rdsName parameter of requests to the rdslogs servlet. ↗
- →Monitor for new .war files appearing in the Tomcat webapps directory (tomcat/webapps/) as a post-exploitation indicator of successful WAR deployment. ↗
- →A Content-Type of 'application/octet-stream' or 'application/xml' on POST requests to /sysaid/rdslogs with Zlib-deflated body is characteristic of this exploit. ↗
- →After WAR upload, watch for GET requests to a newly created random-named application path on the same server — this is the payload trigger step. ↗
- ·The null-byte injection technique only works on Java 6 or Java 7 up to 7u25; Java 7u40 and above patches null byte injection in file names, making the exploit ineffective on those JVM versions. ↗
- ·Windows SysAid installations are practically unexploitable because SysAid bundles Java 7u40+ with its Windows package, which blocks null byte injection. ↗
- ·The exploit requires a preliminary request to create the upload directory before the WAR upload will succeed. ↗
- ·Affected versions are SysAid Help Desk v14.3 and v14.4 (specifically confirmed on v14.3.12 b22 and v14.4.32 b25); the vulnerability is fixed in version 15.2 and later. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SysAid Help Desk 'rdslogs' - Arbitrary File Upload (Metasploit)
exploitdb·2015-07-21
CVE-2015-2995 SysAid Help Desk 'rdslogs' - Arbitrary File Upload (Metasploit)
SysAid Help Desk 'rdslogs' - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'zlib'
class Metasploit3 "SysAid Help Desk 'rdslogs' Arbitrary File Upload",
'Description' => %q{
This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
file uploads and handles zip file contents in a insecure way. By combining both weaknesses,
a remote attacker can accomplish remote code execution. Note that this will only work if the
target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection
against null byte injec
Exploit-DB
SysAid Help Desk 14.4 - Multiple Vulnerabilities
exploitdb·2015-06-10·CVSS 7.5
CVE-2015-3001 [HIGH] SysAid Help Desk 14.4 - Multiple Vulnerabilities
SysAid Help Desk 14.4 - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in SysAid Help Desk 14.4
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 03/06/2015 / Last updated: 10/06/2015
>> Background on the affected product:
"SysAid is an ITSM solution that offers all the essentials, with everything you need for easy and efficient IT support and effective help desk operations. Its rich set of features includes a powerful service desk, asset management and discovery, self-service, and easy-to-use tools for understanding and optimizing IT performance."
Metasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been released and should be integrated in the Metasploit framework soon.
All vulnerabilities affect both the Windows and Linux v
Metasploit
SysAid Help Desk 'rdslogs' Arbitrary File Upload
metasploit
SysAid Help Desk 'rdslogs' Arbitrary File Upload
SysAid Help Desk 'rdslogs' Arbitrary File Upload
This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4. The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated file uploads and handles zip file contents in an insecure way. By combining both weaknesses, a remote attacker can accomplish remote code execution. Note that this will only work if the target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection against null byte injection in file names. This module has been tested successfully on version v14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid seems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability from being exploited.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jun/8http://www.rapid7.com/db/modules/exploit/multi/http/sysaid_rdslogs_file_uploadhttp://www.securityfocus.com/archive/1/535679/100/0/threadedhttp://www.securityfocus.com/bid/75038https://www.exploit-db.com/exploits/37667/https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-deskhttp://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jun/8http://www.rapid7.com/db/modules/exploit/multi/http/sysaid_rdslogs_file_uploadhttp://www.securityfocus.com/archive/1/535679/100/0/threadedhttp://www.securityfocus.com/bid/75038https://www.exploit-db.com/exploits/37667/https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk
2015-06-08
Published