CVE-2014-5007
published 2020-01-17CVE-2014-5007: Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP)…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
37.33%
98.3th percentile
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_desktop_central | 7.0 – 9.0 | — |
| zohocorp | manageengine_desktop_central_managed_service_providers | 7.0 – 9.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/agentLogUploader?computerName=whatever1&domainName=whatever2&customerId=1337&filename=..\\..\\..\\..\\webapps\\DesktopCentral\\shell.jsp↗
urlagentLogUploader?computerName=DesktopCentral&domainName=webapps&customerId=..&filename=#{filename}↗
- →Detect unauthenticated POST requests to the agentLogUploader servlet containing directory traversal sequences (e.g., '..' or '..\') in the 'filename' parameter, particularly targeting paths under webapps\DesktopCentral\. ↗
- →Monitor for POST requests to /agentLogUploader with a 'filename' parameter containing backslash-based traversal sequences (e.g., '..\\..\\') — no authentication is required to exploit this endpoint. ↗
- →Alert on JSP files written to the DesktopCentral web root (webapps\DesktopCentral\) by the Desktop Central service process, as this indicates successful exploitation and webshell deployment. ↗
- →Check for subsequent GET requests to randomly-named .jsp files in the DesktopCentral web root immediately after a POST to agentLogUploader — this is the two-stage upload-then-execute pattern used by the Metasploit module. ↗
- →Inspect the 'customerId' parameter in agentLogUploader requests for traversal values such as '..' which were used in the original CVE-2013-7390 exploit vector. ↗
- ·The fix for the original CVE-2013-7390 (patch 80293) was incomplete; CVE-2014-5007 demonstrates that traversal is still possible with a valid computerName, domainName, and customerId, so patching to DC v9 build 90055 or later is required. ↗
- ·All Desktop Central versions from v7 through v9 build 90054 are affected; the fix is to upgrade to DC v9 build 90055. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
exploitdb·2014-09-01·CVSS 7.5
CVE-2014-5007 [HIGH] ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
---
Arbitrary file upload / remote code execution in ManageEngine Desktop Central / Desktop Central MSP
Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Background on the affected product:
"Desktop Central is an integrated desktop & mobile device management
software that helps in managing the servers, laptops, desktops,
smartphones and tablets from a central point. It automates your
regular desktop management routines like installing patches,
distributing software, managing your IT Assets, managing software
licenses, monitoring software usage statistics, managing USB device
usage, taking control of remote desktops, and more."
There are several vulnerable servers are out there if you k
Exploit-DB
DesktopCentral AgentLogUpload - Arbitrary File Upload (Metasploit)
exploitdb·2013-11-25
CVE-2014-5007 DesktopCentral AgentLogUpload - Arbitrary File Upload (Metasploit)
DesktopCentral AgentLogUpload - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'DesktopCentral AgentLogUpload Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in DesktopCentral 8.0.0
below build 80293. A malicious user can upload a JSP file into the web root without
authentication, leading to arbitrary code execution.
},
'Author' =>
[
'Thomas Hibbert ' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf' ]
],
'Platform
Exploit-DB
ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload
exploitdb·2013-11-18
CVE-2014-5007 ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload
ManageEngine Desktop Central 8.0.0 build ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.
presents..
DesktopCentral Arbitrary File Upload Vulnerability
Affected versions: DesktopCentral versions :8020
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: keep-alive
Content-Type: text/html;
Content-Length: 109
Hello World
Hello World
+----------+
| Solution |
+----------+
Apply the patch supplied by the vendor (Patch 80293)
+-------------------+
|Disclosure Timeline|
+-------------------+
20/10/2013 – Vulnerability discovered, vendor notified.
25/10/2013 – Vendor acknowledges issue
30/10/2013 - Vendor issues Patch 80293 that fixe
No writeups or analysis indexed.
2020-01-17
Published