[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201502022144.t12Lihib026238@sf01web3.securityfocus.com>
Date: Mon, 2 Feb 2015 21:44:43 GMT
From: mohamed.idris@...pag.com
To: bugtraq@...urityfocus.com
Subject: [CVE-2014-9331] ManageEngine Desktop Central CSRF vulnerability
to add an Admin user advisory
#####################################
Title:- Cross-Site Request Forgery (CSRF) Vulnerability in ManageEngine Desktop Central 9 Allows adding an Admin User
Author: Mohamed Idris - Help AG Middle East
Vendor: ZOHO Corp
Advisory ID: hag20141205
Product: ManageEngine Desktop Central 9
Version: All versions below build 90121
Tested Version: Version 9 Build 90087
Severity: HIGH
CVE Reference: CVE-2014-9331
Fix Link: http://www.manageengine.com/products/desktop-central/cve20149331-cross-site-request-forgery.html
# About the Product:
Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point.
It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more. It supports managing both Windows and Mac operating systems.
# Description:
This Cross-Site Request Forgery vulnerability enables an anonymous attacker to add an admin account into the application. This leads to compromising the whole domain as the application normally uses privileged domain account to perform administration tasks.
# Vulnerability Class:
Cross-Site Request Forgery (CSRF) - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
# How to Reproduce: (POC):
Host the attached code in a webserver. Then send the link to the application Admin. The admin should be loggedin when he clicks on the link.
You can entice him to do that by using social engineering techniques ;)
Say for example: Log into the application and click the following link to get free licenses
# Disclosure:
Discovered: December 05, 2014
Vendor Notification: December 08, 2014
Advisory Publication: January 31, 2015
Public Disclosure: January 31, 2015
# Affected Targets:
All Desktop Central versions below build 90130. On all platforms (Actually platform doesn't affect the issue).
# Solution:
Upgrade to Build 90130 will fix this issue.
The update can be found at the following link: http://www.manageengine.com/products/desktop-central/cve20149331-cross-site-request-forgery.html
# credits:
Mohamed Idris
Senior Information Security Analyst and Team Leader
Help AG Middle East
# Proof of Concept Video:
https://www.youtube.com/watch?v=MRIZy7EBSF8
# Proof of Concept Code:
https://raw.githubusercontent.com/moha99sa/ManageEngine-Desktop-Central-CSRF/master/README.md
#References:
[1] help AG middle East http://www.helpag.com/.
[2] http://www.manageengine.com/products/desktop-central/
[3] http://www.manageengine.com/products/desktop-central/cve20149331-cross-site-request-forgery.html
[4] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
[5] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
Powered by blists - more mailing lists