CVE-2013-7390
published 2020-01-27CVE-2013-7390: Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
74.53%
99.4th percentile
Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to execute arbitrary code by uploading a file with a jsp extension, then accessing it via a direct request to the file in the webroot.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_desktop_central | 7.0.0 – 8.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/agentLogUploader?computerName=DesktopCentral&domainName=webapps&customerId=..&filename=<filename>↗
url/agentLogUploader?computerName=whatever1&domainName=whatever2&customerId=1337&filename=..\..\..\..\webapps\DesktopCentral\shell.jsp↗
- →Detect unauthenticated HTTP POST requests to /agentLogUploader with a filename parameter containing path traversal sequences (e.g., '..' or '..\') and a .jsp extension, indicating attempted JSP webshell upload. ↗
- →Alert on HTTP POST to /agentLogUploader where the customerId parameter is set to '..' (dot-dot), which is the path traversal payload used in the original CVE-2013-7390 exploit to write files outside the intended directory. ↗
- →Monitor for newly created .jsp files under the DesktopCentral webroot (e.g., ..\webapps\DesktopCentral\) followed by an immediate GET request to the same filename, which is the two-stage upload-then-execute pattern used by the Metasploit module. ↗
- →Check the /configurations.do endpoint for the ManageEngine Desktop Central 8 build number; builds below 80293 are vulnerable and should be flagged in asset inventory. ↗
- →Flag HTTP POST requests to /agentLogUploader with Content-Type: text/html, as this is the non-standard content type used by the exploit to deliver the JSP payload body. ↗
- ·The original CVE-2013-7390 fix (build 80293) was incomplete; the path traversal via customerId=.. was patched but a bypass using a valid computerName, domainName, and customerId with a traversal in the filename parameter remained exploitable (later assigned CVE-2014-5007). Detection rules must cover both traversal vectors. ↗
- ·The Metasploit module targets Windows only (Platform: win, Arch: ARCH_X86) and achieves code execution as SYSTEM; detections should account for SYSTEM-level child processes spawned from the DesktopCentral web server process. ↗
- ·The exploit requires no authentication whatsoever; perimeter controls relying on authenticated sessions will not prevent exploitation of this vulnerability. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
exploitdb·2014-09-01·CVSS 7.5
CVE-2014-5007 [HIGH] ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
---
Arbitrary file upload / remote code execution in ManageEngine Desktop Central / Desktop Central MSP
Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Background on the affected product:
"Desktop Central is an integrated desktop & mobile device management
software that helps in managing the servers, laptops, desktops,
smartphones and tablets from a central point. It automates your
regular desktop management routines like installing patches,
distributing software, managing your IT Assets, managing software
licenses, monitoring software usage statistics, managing USB device
usage, taking control of remote desktops, and more."
There are several vulnerable servers are out there if you k
Exploit-DB
DesktopCentral AgentLogUpload - Arbitrary File Upload (Metasploit)
exploitdb·2013-11-25
CVE-2014-5007 DesktopCentral AgentLogUpload - Arbitrary File Upload (Metasploit)
DesktopCentral AgentLogUpload - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'DesktopCentral AgentLogUpload Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in DesktopCentral 8.0.0
below build 80293. A malicious user can upload a JSP file into the web root without
authentication, leading to arbitrary code execution.
},
'Author' =>
[
'Thomas Hibbert ' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf' ]
],
'Platform
Exploit-DB
ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload
exploitdb·2013-11-18
CVE-2014-5007 ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload
ManageEngine Desktop Central 8.0.0 build ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.
presents..
DesktopCentral Arbitrary File Upload Vulnerability
Affected versions: DesktopCentral versions :8020
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: keep-alive
Content-Type: text/html;
Content-Length: 109
Hello World
Hello World
+----------+
| Solution |
+----------+
Apply the patch supplied by the vendor (Patch 80293)
+-------------------+
|Disclosure Timeline|
+-------------------+
20/10/2013 – Vulnerability discovered, vendor notified.
25/10/2013 – Vendor acknowledges issue
30/10/2013 - Vendor issues Patch 80293 that fixe
Metasploit
ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload
metasploit
ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload
ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload
This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to v8 build 80293. A malicious user can upload a JSP file into the web root without authentication, leading to arbitrary code execution as SYSTEM.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2013/Nov/130https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/desktopcentral_file_upload.rbhttp://seclists.org/fulldisclosure/2013/Nov/130https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/desktopcentral_file_upload.rb
2020-01-27
Published