CVE-2014-6034
published 2014-12-04CVE-2014-6034: Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through…
PriorityP359medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
79.48%
99.6th percentile
Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_it360 | <= 10.4 | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_social_it_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war↗
- →Detect unauthenticated POST requests to the FileCollector servlet path containing a 'regionID' parameter with directory traversal sequences (e.g., '../') and a 'FILENAME' parameter ending in '.war'. A GET to the same servlet returning HTTP 405 indicates the endpoint is present and potentially vulnerable. ↗
- →Alert on POST requests to '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector' where the 'regionID' query parameter contains dot-dot traversal sequences targeting Tomcat webapps or conf directories. ↗
- →Monitor for unexpected .war file creation under the Tomcat webapps directory, especially files with random alphanumeric names, as the exploit generates a random app_base name for the payload WAR. ↗
- →The exploit uploads a context.xml replacement to 'tomcat/conf' on a second attempt; monitor for POST requests to the FileCollector servlet with FILENAME=context.xml as an indicator of a retry/escalation attempt. ↗
- →The vulnerability is unauthenticated on OpManager and Social IT Plus, meaning no session cookie or authentication header is required; detections should not filter on authenticated sessions for these products. ↗
- ·The exploit targets the default Tomcat deployment path '../../../tomcat/webapps'; if the Tomcat installation path differs from the default, the traversal depth and path in the regionID parameter will vary. ↗
- ·The module waits a configurable number of seconds (default 15) for WAR deployment before executing the payload; detection based on timing between upload and execution requests should account for this delay. ↗
- ·The server returns either HTTP 500 or HTTP 200 on a successful WAR upload to this servlet; a 500 response does NOT necessarily indicate failure and should not be used alone to rule out exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities
exploitdb·2014-11-09·CVSS 5.0
CVE-2014-7868 [MEDIUM] ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014
>> Background on the affected products:
"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation."
"Social IT Plus off
Exploit-DB
ManageEngine OpManager / Social IT - Arbitrary File Upload (Metasploit)
exploitdb·2014-10-02
CVE-2014-6034 ManageEngine OpManager / Social IT - Arbitrary File Upload (Metasploit)
ManageEngine OpManager / Social IT - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'ManageEngine OpManager / Social IT Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.
The vulnerability exists in the FileCollector servlet which accepts unauthenticated
file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on
version 11.0 of SocialIT for Windows and Linux.
},
'Author' =>
[
'Pedro Ribeiro ', # Vulnerability Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-6034' ],
[
Metasploit
ManageEngine OpManager and Social IT Arbitrary File Upload
metasploit
ManageEngine OpManager and Social IT Arbitrary File Upload
ManageEngine OpManager and Social IT Arbitrary File Upload
This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT. The vulnerability exists in the FileCollector servlet which accepts unauthenticated file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on version 11.0 of SocialIT for Windows and Linux.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2014/Sep/110https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txthttps://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fixhttp://seclists.org/fulldisclosure/2014/Sep/110https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txthttps://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix
2014-12-04
Published