CVE-2014-5005
published 2014-10-21CVE-2014-5005: Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .…
PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
77.85%
99.5th percentile
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_desktop_central | <= 9.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/statusUpdate?actionToCall=LFU&customerId=1337&fileName=../../../../../../shell.jsp&configDataID=1↗
commandPOST /statusUpdate?actionToCall=LFU&customerId=1337&fileName=../../../../../../shell.jsp&configDataID=1↗
- →Detect HTTP POST requests to /statusUpdate with query parameter actionToCall=LFU and a fileName parameter containing directory traversal sequences (../ or ..\ patterns) targeting JSP file upload. ↗
- →Alert on Content-Type of text/html in POST requests to /statusUpdate, which is used by the exploit module to deliver the malicious JSP payload. ↗
- →Monitor for JSP file creation in the web root (webapps/DesktopCentral/) as a result of unauthenticated file upload via the statusUpdate endpoint. ↗
- →Check for GET requests to /configurations.do used by the exploit to fingerprint the Desktop Central version prior to exploitation. ↗
- →Inspect the fileName parameter in requests to /statusUpdate for sequences of '../' repeated multiple times (e.g., 6 or more traversal steps) indicating path traversal exploitation. ↗
- ·The vulnerability affects all versions from v7 to v9 build 90054 (including MSP variants); early builds of v7 without a bundled Java compiler are not exploitable. ↗
- ·The exploit requires no authentication and no prior knowledge of the target environment — any exposed instance is at risk. ↗
- ·The default exploit target port is 8020; deployments on non-standard ports would require adjusted detection rules. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine Desktop Central StatusUpdate - Arbitrary File Upload (Metasploit)
exploitdb·2014-09-09
CVE-2014-5005 ManageEngine Desktop Central StatusUpdate - Arbitrary File Upload (Metasploit)
ManageEngine Desktop Central StatusUpdate - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'ManageEngine Desktop Central StatusUpdate Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral
v7 to v9 build 90054 (including the MSP versions).
A malicious user can upload a JSP file into the web root without authentication, leading to
arbitrary code execution as SYSTEM. Some early builds of version 7 are not exploitable as
they do not ship with a bundled Java compiler.
},
'Author' =>
[
'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module
Exploit-DB
ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
exploitdb·2014-09-01·CVSS 7.5
CVE-2014-5007 [HIGH] ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
---
Arbitrary file upload / remote code execution in ManageEngine Desktop Central / Desktop Central MSP
Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Background on the affected product:
"Desktop Central is an integrated desktop & mobile device management
software that helps in managing the servers, laptops, desktops,
smartphones and tablets from a central point. It automates your
regular desktop management routines like installing patches,
distributing software, managing your IT Assets, managing software
licenses, monitoring software usage statistics, managing USB device
usage, taking control of remote desktops, and more."
There are several vulnerable servers are out there if you k
Metasploit
ManageEngine Desktop Central StatusUpdate Arbitrary File Upload
metasploit
ManageEngine Desktop Central StatusUpdate Arbitrary File Upload
ManageEngine Desktop Central StatusUpdate Arbitrary File Upload
This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral v7 to v9 build 90054 (including the MSP versions). A malicious user can upload a JSP file into the web root without authentication, leading to arbitrary code execution as SYSTEM. Some early builds of version 7 are not exploitable as they do not ship with a bundled Java compiler.
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/110643http://seclists.org/fulldisclosure/2014/Aug/88http://www.exploit-db.com/exploits/34594https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_file_upload.txthttps://www.manageengine.com/products/desktop-central/remote-code-execution.htmlhttp://osvdb.org/show/osvdb/110643http://seclists.org/fulldisclosure/2014/Aug/88http://www.exploit-db.com/exploits/34594https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_file_upload.txthttps://www.manageengine.com/products/desktop-central/remote-code-execution.html
2014-10-21
Published