CVE-2015-2997
published 2015-06-08CVE-2015-2997: SysAid Help Desk before 15.2 allows remote attackers to obtain sensitive information via an invalid value in the accountid parameter to getAgentLogFile, as…
PriorityP335medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
57.20%
98.9th percentile
SysAid Help Desk before 15.2 allows remote attackers to obtain sensitive information via an invalid value in the accountid parameter to getAgentLogFile, as demonstrated by a large directory traversal sequence, which reveals the installation path in an error message.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sysaid | sysaid | <= 15.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect requests to the 'getAgentLogFile' endpoint with an invalid or oversized 'accountid' parameter value (e.g., a large directory traversal sequence such as '../../..') — this is the information disclosure trigger for CVE-2015-2997. ↗
- →CVE-2015-2997 is chained with CVE-2015-2996 (directory traversal file download) in exploitation; monitor for sequential unauthenticated requests first to 'getAgentLogFile' (path disclosure) followed by a traversal-based file download request. ↗
- →The exploit chain works against unauthenticated users; flag any unauthenticated HTTP requests to SysAid endpoints 'getAgentLogFile' with anomalous 'accountid' parameter values. ↗
- ·The information disclosure vulnerability (CVE-2015-2997) does not work on Windows platforms — path disclosure via error message only occurs on Linux deployments. ↗
- ·On Windows, the subsequent directory traversal (CVE-2015-2996) is limited to the current drive; files on a different drive letter cannot be retrieved. ↗
- ·Affected versions are SysAid Help Desk before 15.2; the Metasploit module was tested specifically against SysAid 14.4 on both Windows and Linux. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SysAid Help Desk 14.4 - Multiple Vulnerabilities
exploitdb·2015-06-10·CVSS 7.5
CVE-2015-3001 [HIGH] SysAid Help Desk 14.4 - Multiple Vulnerabilities
SysAid Help Desk 14.4 - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in SysAid Help Desk 14.4
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 03/06/2015 / Last updated: 10/06/2015
>> Background on the affected product:
"SysAid is an ITSM solution that offers all the essentials, with everything you need for easy and efficient IT support and effective help desk operations. Its rich set of features includes a powerful service desk, asset management and discovery, self-service, and easy-to-use tools for understanding and optimizing IT performance."
Metasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been released and should be integrated in the Metasploit framework soon.
All vulnerabilities affect both the Windows and Linux v
Metasploit
SysAid Help Desk Arbitrary File Download
metasploit·CVSS 8.5
CVE-2015-2997 [HIGH] SysAid Help Desk Arbitrary File Download
SysAid Help Desk Arbitrary File Download
This module exploits two vulnerabilities in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. First, an information disclosure vulnerability (CVE-2015-2997) is used to obtain the file system path, and then we abuse a directory traversal (CVE-2015-2996) to download the file. Note that there are some limitations on Windows, in that the information disclosure vulnerability doesn't work on a Windows platform, and we can only traverse the current drive (if you enter C:\afile.txt and the server is running on D:\ the file will not be downloaded). This module has been tested with SysAid 14.4 on Windows and Linux.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jun/8http://www.securityfocus.com/archive/1/535679/100/0/threadedhttp://www.securityfocus.com/bid/75038https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-deskhttp://packetstormsecurity.com/files/132138/SysAid-Help-Desk-14.4-Code-Execution-Denial-Of-Service-Traversal-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jun/8http://www.securityfocus.com/archive/1/535679/100/0/threadedhttp://www.securityfocus.com/bid/75038https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk
2015-06-08
Published