[R1] ManageEngine ServiceDesk Multiple Vulnerabilties

Tenable uncovered a handful of new vulnerabilities in ManageEngine ServiceDesk. This is not Tenable's first go around with ManageEngine ServiceDesk. If you look at our previous advisory you'll see that it took nearly two years to resolve a reflected XSS vulnerability.

A number of months ago, Tenable decided to switch to a 90-day disclosure policy. That seems reasonable to us. It has now been 383 days since ManageEngine acknowledged the vulnerabilities in this advisory. The most egregious of which remain unfixed.

CVE-2017-11511: Arbitrary File Download - No Fix as of 9.3.9328

ServiceDesk provides an endpoint for unauthenticated remote users to download files at /fos-agent/repl/download-file. This endpoint requires a couple of parameters: basedir and filepath. The basedir parameter is a number 1-4. The values correspond to the following directories (on Windows):

1. C:\ManageEngine\ServiceDesk\bin\..\fileAttachments
2. C:\ManageEngine\ServiceDesk\bin\..\inlineimages
3. C:\ManageEngine\ServiceDesk\bin\..\archive
4. C:\ManageEngine\ServiceDesk\bin\..\..\ServiceDesk

Option 4, C:\ManageEngine\ServiceDesk, is a bit bizarre because it exposes all of the files in the ServiceDesk install. That includes log files and database files.

http://192.168.1.200:8080/fosagent/repl/download-file?basedir=4&filepath=pgsql\data\pg_log\pgsql_Wed.log

However, that appears to be working as intended. I have to assume that path traversal is not intended behavior though.

http://192.168.1.200:8080/fosagent/repl/download-file?basedir=4&filepath=..\..\Windows\win.ini

We have assigned this CVE-2017-11511. This was assigned SD-64424 by ManageEngine back in October of 2016 yet remains unfixed.

CVE-2017-11512: Arbitrary File Download - No Fix as of 9.3.9328

ServiceDesk provides an interface for unauthenticated remote users to download snapshots at /fosagent/repl/download-snapshot. This endpoint takes one parameter, name, which is supposed to correspond to the snapshot that you'd like to download. Due to the lack of validation an attacker can use name to traverse directories and download arbitrary files.

http://192.168.1.200:8080/fosagent/repl/download-snapshot?name=..\..\..\..\..\..\..\Windows\win.ini

We have assigned this CVE-2017-11512. This was assigned SD-64424 by ManageEngine back in October of 2016 yet remains unfixed.

Various Fixed Authenticated Stored XSS

Fixed in 9.3.9139, an authenticated user could store arbitrary HTML/Javascript in the Job Title field for a Technician via SetupWizard.do.

Fixed in 9.2.9241, an authenticated user could store arbitrary HTML/Javascript in the Name of an Asset Group via GroupResourcesDef.do.

Fixed in 9.2.9241, an authenticated user could store arbitrary HTML/Javascript in the Name of an Asset Group via ContractDef.do.

Fixed in 9.2.9237, an authenticated user could store arbitrary HTML/Javascript in the Contract ID of a Contract via TaskDetails.cc.