CVE-2015-2996
published 2015-06-08CVE-2015-2996: Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the…
PriorityP268high8.5CVSS 2.0
AVNACLAuNCPINAC
EXPLOIT
EPSS
86.64%
99.7th percentile
Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the fileName parameter to getGfiUpgradeFile or (2) cause a denial of service (CPU and memory consumption) via a .. (dot dot) in the fileName parameter to calculateRdsFileChecksum.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sysaid | sysaid | <= 15.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal attempts targeting the 'fileName' parameter in GET requests to the 'getGfiUpgradeFile' endpoint; look for '../' sequences in the parameter value. ↗
- →Detect directory traversal attempts targeting the 'fileName' parameter in GET requests to the 'calculateRdsFileChecksum' endpoint; look for '../' sequences which can cause CPU/memory exhaustion (DoS). ↗
- →Successful exploitation of the LFI via getGfiUpgradeFile returns HTTP 200 with /etc/passwd content; match response body for the regex pattern 'root:[x*]:0:0'. ↗
- →The vulnerability is exploitable without authentication; chain with CVE-2015-2997 (information disclosure) to first obtain the filesystem path, then use the directory traversal to download arbitrary files. ↗
- →On Windows targets, directory traversal is limited to the current drive; cross-drive traversal (e.g., C:\ path when server runs on D:\) will not succeed. ↗
- →The Metasploit module 'sysaid_sql_creds' abuses the same file download primitive to retrieve the server configuration file containing encrypted database credentials; monitor for requests to configuration file paths via the traversal endpoint. ↗
- ·The traversal depth used in the Nuclei template (7 levels: '../../../../../../../') targets Linux /etc/passwd; adjust depth and target path for Windows environments. ↗
- ·The CVE-2015-2997 information disclosure primitive does not work on Windows; the file download chain (CVE-2015-2997 + CVE-2015-2996) is therefore only fully functional on Linux targets. ↗
- ·The Metasploit credential-disclosure module was tested against SysAid 14.4 on both Windows and Linux; the database password in the config file is encrypted with a fixed, known key. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SysAid Help Desk 14.4 - Multiple Vulnerabilities
exploitdb·2015-06-10·CVSS 7.5
CVE-2015-3001 [HIGH] SysAid Help Desk 14.4 - Multiple Vulnerabilities
SysAid Help Desk 14.4 - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in SysAid Help Desk 14.4
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 03/06/2015 / Last updated: 10/06/2015
>> Background on the affected product:
"SysAid is an ITSM solution that offers all the essentials, with everything you need for easy and efficient IT support and effective help desk operations. Its rich set of features includes a powerful service desk, asset management and discovery, self-service, and easy-to-use tools for understanding and optimizing IT performance."
Metasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been released and should be integrated in the Metasploit framework soon.
All vulnerabilities affect both the Windows and Linux v
Nuclei
SysAid Help Desk <15.2 - Local File Inclusion
nuclei·CVSS 8.5
CVE-2015-2996 [HIGH] SysAid Help Desk <15.2 - Local File Inclusion
SysAid Help Desk <15.2 - Local File Inclusion
SysAid Help Desk before 15.2 contains multiple local file inclusion vulnerabilities which can allow remote attackers to read arbitrary files via .. (dot dot) in the fileName parameter of getGfiUpgradeFile or cause a denial of service (CPU and memory consumption) via .. (dot dot) in the fileName parameter of calculateRdsFileChecksum.
Template:
id: CVE-2015-2996
info:
name: SysAid Help Desk <15.2 - Local File Inclusion
author: 0x_Akoko
severity: high
description: |
SysAid Help Desk before 15.2 contains multiple local file inclusion vulnerabilities which can allow remote attackers to read arbitrary files via .. (dot dot) in the fileName parameter of getGfiUpgradeFile or cause a denial of service (CPU and memory consumption) via .. (dot dot) in
Metasploit
SysAid Help Desk Database Credentials Disclosure
metasploit
SysAid Help Desk Database Credentials Disclosure
SysAid Help Desk Database Credentials Disclosure
This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. This is used to download the server configuration file that contains the database username and password, which is encrypted with a fixed, known key. This module has been tested with SysAid 14.4 on Windows and Linux.
Metasploit
SysAid Help Desk Arbitrary File Download
metasploit·CVSS 8.5
CVE-2015-2997 [HIGH] SysAid Help Desk Arbitrary File Download
SysAid Help Desk Arbitrary File Download
This module exploits two vulnerabilities in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. First, an information disclosure vulnerability (CVE-2015-2997) is used to obtain the file system path, and then we abuse a directory traversal (CVE-2015-2996) to download the file. Note that there are some limitations on Windows, in that the information disclosure vulnerability doesn't work on a Windows platform, and we can only traverse the current drive (if you enter C:\afile.txt and the server is running on D:\ the file will not be downloaded). This module has been tested with SysAid 14.4 on Windows and Linux.
http://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jun/8http://www.securityfocus.com/archive/1/535679/100/0/threadedhttp://www.securityfocus.com/bid/75038https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-deskhttp://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jun/8http://www.securityfocus.com/archive/1/535679/100/0/threadedhttp://www.securityfocus.com/bid/75038https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk
2015-06-08
Published