cbcvebase.
CVE-2015-2996
published 2015-06-08

CVE-2015-2996: Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the…

PriorityP268high8.5CVSS 2.0
AVNACLAuNCPINAC
EXPLOIT
EPSS
86.64%
99.7th percentile
Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the fileName parameter to getGfiUpgradeFile or (2) cause a denial of service (CPU and memory consumption) via a .. (dot dot) in the fileName parameter to calculateRdsFileChecksum.

Affected

1 ranges
VendorProductVersion rangeFixed in
sysaidsysaid<= 15.1

Detection & IOCsextracted from sources · hover to see the quote

url/sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd
url/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd
othershodan:http.favicon.hash:1540720428
otherfofa:icon_hash=1540720428
  • Detect directory traversal attempts targeting the 'fileName' parameter in GET requests to the 'getGfiUpgradeFile' endpoint; look for '../' sequences in the parameter value.
  • Detect directory traversal attempts targeting the 'fileName' parameter in GET requests to the 'calculateRdsFileChecksum' endpoint; look for '../' sequences which can cause CPU/memory exhaustion (DoS).
  • Successful exploitation of the LFI via getGfiUpgradeFile returns HTTP 200 with /etc/passwd content; match response body for the regex pattern 'root:[x*]:0:0'.
  • The vulnerability is exploitable without authentication; chain with CVE-2015-2997 (information disclosure) to first obtain the filesystem path, then use the directory traversal to download arbitrary files.
  • On Windows targets, directory traversal is limited to the current drive; cross-drive traversal (e.g., C:\ path when server runs on D:\) will not succeed.
  • The Metasploit module 'sysaid_sql_creds' abuses the same file download primitive to retrieve the server configuration file containing encrypted database credentials; monitor for requests to configuration file paths via the traversal endpoint.
  • ·The traversal depth used in the Nuclei template (7 levels: '../../../../../../../') targets Linux /etc/passwd; adjust depth and target path for Windows environments.
  • ·The CVE-2015-2997 information disclosure primitive does not work on Windows; the file download chain (CVE-2015-2997 + CVE-2015-2996) is therefore only fully functional on Linux targets.
  • ·The Metasploit credential-disclosure module was tested against SysAid 14.4 on both Windows and Linux; the database password in the config file is encrypted with a fixed, known key.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.