CVE-2014-3996
published 2014-12-05CVE-2014-3996: SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP)…
PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
35.55%
98.3th percentile
SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to LinkViewFetchServlet.dat.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| manageengine | desktop_central | <= 9.0 | — |
| manageengine | it360 | <= 10.3.3 | — |
| manageengine | password_manager_pro | <= 7.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect blind SQL injection attempts against ManageEngine LinkViewFetchServlet by monitoring GET requests to /LinkViewFetchServlet.dat with a non-empty 'sv' parameter. The injection is only exploitable via GET requests. ↗
- →Monitor for GET requests to /PassTrixMain.cc returning HTTP 200 with body matching 'ManageEngine Password Manager Pro', which the exploit uses to fingerprint vulnerable PMP targets before exploitation. ↗
- →Monitor for GET requests to /configurations.do returning HTTP 200 with body matching 'ManageEngine Desktop Central', which the exploit uses to fingerprint vulnerable Desktop Central targets before exploitation. ↗
- →Between 10 and 20 rapid sequential GET requests to LinkViewFetchServlet.dat with large sv parameter values (chunked payload delivery) is a strong behavioral indicator of active exploitation. ↗
- ·CVE-2014-3996 (LinkViewFetchServlet) is unauthenticated for Desktop Central and Password Manager Pro, but requires a valid user account for IT360. Detection rules should account for both authenticated and unauthenticated access patterns. ↗
- ·MySQL-based targets use relative web root paths (e.g., ../../webapps/PassTrix/) while PostgreSQL-based targets require absolute paths. Detection of file-write activity should cover both relative and absolute path patterns under ManageEngine directories. ↗
- ·The vulnerability has existed in all ManageEngine Desktop Central, Password Manager Pro, and IT360 releases since 2006. Patched versions are DC v9 build 90043, PMP v7 build 7003, and IT360 v10.3.3 build 10330. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine Password Manager - MetadataServlet.dat SQL Injection (Metasploit)
exploitdb·2014-08-25
CVE-2014-3996 ManageEngine Password Manager - MetadataServlet.dat SQL Injection (Metasploit)
ManageEngine Password Manager - MetadataServlet.dat SQL Injection (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/file_dropper'
class Metasploit3 "ManageEngine Password Manager MetadataServlet.dat SQL Injection",
'Description' => %q{
This module exploits an unauthenticated blind SQL injection in LinkViewFetchServlet,
which is exposed in ManageEngine Desktop Central v7 build 70200 to v9 build 90033 and
Password Manager Pro v6 build 6500 to v7 build 7002 (including the MSP versions). The
SQL injection can be used to achieve remote code execution as SYSTEM in Windows or as
the user in Linux. This module exploits both PostgreSQL (newer builds
Exploit-DB
ManageEngine Password Manager Pro / ManageEngine IT360 - SQL Injection
exploitdb·2014-08-20
CVE-2014-3997 ManageEngine Password Manager Pro / ManageEngine IT360 - SQL Injection
ManageEngine Password Manager Pro / ManageEngine IT360 - SQL Injection
---
source: https://www.securityfocus.com/bid/69303/info
ManageEngine Password Manager Pro and ManageEngine IT360 are prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following products are affected:
ManageEngine Password Manager Pro 5 through 7 build 7003
ManageEngine IT360 8 through 10.1.1 build 10110
www.example.com/MetadataServlet.dat?sv=[SQLi]
www.example.com/console/MetadataServlet.dat?sv=[SQLi]
>> Blind SQL injection in ManageEngine Desktop Central, Password
Metasploit
ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
metasploit
ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
This module exploits an unauthenticated blind SQL injection in LinkViewFetchServlet, which is exposed in ManageEngine Desktop Central v7 build 70200 to v9 build 90033 and Password Manager Pro v6 build 6500 to v7 build 7002 (including the MSP versions). The SQL injection can be used to achieve remote code execution as SYSTEM in Windows or as the user in Linux. This module exploits both PostgreSQL (newer builds) and MySQL (older or upgraded builds). MySQL targets are more reliable due to the use of relative paths; with PostgreSQL you should find the web root path via other means and specify it with WEB_ROOT. The injection is only exploitable via a GET request, which means that the payload has to be sent i
No writeups or analysis indexed.
http://packetstormsecurity.com/files/127973/ManageEngine-Password-Manager-MetadataServlet.dat-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Aug/55http://seclists.org/fulldisclosure/2014/Aug/85http://www.securityfocus.com/bid/69305https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360_sqli.txthttps://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rbhttp://packetstormsecurity.com/files/127973/ManageEngine-Password-Manager-MetadataServlet.dat-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Aug/55http://seclists.org/fulldisclosure/2014/Aug/85http://www.securityfocus.com/bid/69305https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360_sqli.txthttps://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb
2014-12-05
Published