Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title ReadyDesk contains multiple vulnerabilities
Informations
Name VU#294272 First vendor Publication 2016-08-16
Vendor VU-CERT Last vendor Modification 2016-08-16
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#294272

ReadyDesk contains multiple vulnerabilities

Original Release date: 16 Aug 2016 | Last revised: 16 Aug 2016

Overview

ReadyDesk, version 9.1 and possibly others, contains SQL injection, path traversal, hard-coded cryptographic key, and arbitrary file upload vulnerabilities that may be leveraged to expose sensitive data and execute arbitrary code in the context of the vulnerable software.

Description

ReadyDesk is a help desk ticketing web application designed to facilitate business internal or business to customer interactions.

CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') - CVE-2016-5048

The user name field of http://<IP>/readydesk/chat/staff/default.aspx fails to properly escape single quote characters, or ', provided as field input. Through error-based, blind SQL injection attacks, a remote, unauthenticated attacker may obtain full database contents, including user passwords which are stored as SHA1 hashes.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CVE-2016-5049

The SESID parameter of requests to http://<IP>/readydesk/chat/openattach.aspx is vulnerable to directory traversal and may be exploited to read arbitrary files on affected systems when combined with the FNAME parameter. For instance, to download SQL_Config.aspx, an attacker would make a request to:

http://<IP>/readydesk/chat/openattach.aspx?SESID=..\..\hd\data&FNAME=SQL_Config.aspx

CWE-321: Use of Hard-coded Cryptographic Key - CVE-2016-5683

SQL Server user credentials stored in SQL_Config.aspx are encrypted using a hard-coded cryptographic key found in ReadyDesk.dll. An attacker capable of obtaining the encrypted password can easily decrypt it for use in further attacks.

CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2016-5050

Files uploaded via http://<IP>/readydesk/chat/sendfile.aspx are not properly validated, allowing for arbitrary upload of files with a dangerous type. A remote, unauthenticated attacker could execute arbitrary code by uploading and making a request to a specially crafted aspx page.

The CVE score below describes CVE-2016-5050.

Impact

A remote, unauthenticated attacker can obtain sensitive database information, read arbitrary files, and execute arbitrary code in the context of the vulnerable software.

Solution

The CERT/CC is currently unaware of a practical solution to these problems. A vendor advisory for version 9.2 states that it contains "Critical Security Updates," though details are not provided and it is unknown whether any of the vulnerabilities described above are addressed.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
ReadyDeskAffected20 Jun 201609 Aug 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal6.4E:POC/RL:U/RC:UR
Environmental4.8CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://www.readydesk.com/
  • https://cwe.mitre.org/data/definitions/89.html
  • https://cwe.mitre.org/data/definitions/22.html
  • https://cwe.mitre.org/data/definitions/321.html
  • https://cwe.mitre.org/data/definitions/434.html

Credit

Thanks to Andrew Tierney of Pen Test Partners for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2016-5048CVE-2016-5049CVE-2016-5683CVE-2016-5050
  • Date Public:16 Aug 2016
  • Date First Published:16 Aug 2016
  • Date Last Updated:16 Aug 2016
  • Document Revision:21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/294272

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-434 Unrestricted Upload of File with Dangerous Type (CWE/SANS Top 25)
33 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
33 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Snort® IPS/IDS

Date Description
2017-06-27 ReadyDesk arbitrary file upload attempt
RuleID : 42994 - Revision : 2 - Type : SERVER-WEBAPP
2017-06-27 ReadyDesk arbitrary file upload attempt
RuleID : 42993 - Revision : 2 - Type : SERVER-WEBAPP

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2016-08-29 21:27:05
  • Multiple Updates
2016-08-27 00:26:04
  • Multiple Updates
2016-08-16 17:23:33
  • First insertion