CVE-2014-6037
published 2014-10-26CVE-2014-6037: Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers…
PriorityP277high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
84.18%
99.7th percentile
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_eventlog_analyzer | — | — |
| zohocorp | manageengine_eventlog_analyzer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated HTTP POST multipart/form-data requests to the /agentUpload or /event/agentUpload servlet endpoint, especially from external/untrusted sources. ↗
- →Inspect ZIP file contents uploaded to agentUpload for path traversal sequences (e.g., '../../') in embedded filenames, which indicate exploitation attempts. ↗
- →Alert on HTTP GET requests to /event/agentUpload or /agentUpload returning HTTP 405 (Method Not Allowed), which the Metasploit module uses as a vulnerability check indicator. ↗
- →Monitor for newly created .jsp files under the webapps/event/ web root directory, which may indicate successful exploitation via path-traversal zip upload. ↗
- →Monitor for newly created .ear files under the JBoss server/default/deploy/ directory, indicating exploitation of older v7.0–v8.0 targets via EAR deployment. ↗
- →Detect HTTP GET requests to /event/index3.do probing for ManageEngine EventLog Analyzer version strings, used by the Metasploit module during reconnaissance. ↗
- →Alert on low-privileged or guest account access to /event/runQuery.do, which exposes the database browser to unauthorized users. ↗
- →Detect multipart/form-data POST uploads containing a ZIP file (application/zip content-type) to the agentUpload endpoint on port 8400. ↗
- ·The agentUpload servlet can be disabled as a workaround by commenting out its servlet mapping in web.xml if agents are not in use. ↗
- ·Versions 7.0–8.0 are exploited via EAR deployment in JBoss, while versions 8.1+ are exploited via JSP upload; detection logic should account for both attack paths. ↗
- ·The vulnerability was fixed in Build 11072; instances running builds prior to 11072 remain vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine Eventlog Analyzer - Arbitrary File Upload (Metasploit)
exploitdb·2014-09-15
CVE-2014-6037 ManageEngine Eventlog Analyzer - Arbitrary File Upload (Metasploit)
ManageEngine Eventlog Analyzer - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'ManageEngine Eventlog Analyzer Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer.
The vulnerability exists in the agentUpload servlet which accepts unauthenticated
file uploads and handles zip file contents in a insecure way. By combining both
weaknesses a remote attacker can achieve remote code execution. This module has been
tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions
between 7.0 and
[
'h0ng10', # Vulnerability discovery
'Pedro R
Exploit-DB
ManageEngine EventLog Analyzer - Multiple Vulnerabilities (1)
exploitdb·2014-09-01
CVE-2014-6043 ManageEngine EventLog Analyzer - Multiple Vulnerabilities (1)
ManageEngine EventLog Analyzer - Multiple Vulnerabilities (1)
---
Mogwai Security Advisory MSA-2014-01
Title: ManageEngine EventLog Analyzer Multiple Vulnerabilities
Product: ManageEngine EventLog Analyzer
Affected versions: EventLog Analyzer 9.9 (Build 9002) on Windows/Linux
Impact: critical
Remote: yes
Product link: http://www.manageengine.com/products/eventlog/
Reported: 18/04/2013
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
EventLog Analyzer provides the most cost-effective Security Information and
Event Management (SIEM) software on the market. Using this Log Analyzer
software, organizations can automate the entire process of managing terabytes
of machine generated logs by collecting, analyzing, searching, reporting,
and arc
Metasploit
ManageEngine Eventlog Analyzer Arbitrary File Upload
metasploit
ManageEngine Eventlog Analyzer Arbitrary File Upload
ManageEngine Eventlog Analyzer Arbitrary File Upload
This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer. The vulnerability exists in the agentUpload servlet which accepts unauthenticated file uploads and handles zip file contents in an insecure way. By combining both weaknesses a remote attacker can achieve remote code execution. This module has been tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server, while versions 8.1+ are only exploitable via a JSP upload.
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/110642http://packetstormsecurity.com/files/128102/ManageEngine-EventLog-Analyzer-9.9-Authorization-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2014/Aug/86http://seclists.org/fulldisclosure/2014/Sep/1http://seclists.org/fulldisclosure/2014/Sep/19http://seclists.org/fulldisclosure/2014/Sep/20http://www.exploit-db.com/exploits/34519http://www.securityfocus.com/bid/69482https://github.com/rapid7/metasploit-framework/pull/3732https://www.mogwaisecurity.de/advisories/MSA-2014-01.txthttp://osvdb.org/show/osvdb/110642http://packetstormsecurity.com/files/128102/ManageEngine-EventLog-Analyzer-9.9-Authorization-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2014/Aug/86http://seclists.org/fulldisclosure/2014/Sep/1http://seclists.org/fulldisclosure/2014/Sep/19http://seclists.org/fulldisclosure/2014/Sep/20http://www.exploit-db.com/exploits/34519http://www.securityfocus.com/bid/69482https://github.com/rapid7/metasploit-framework/pull/3732https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt
2014-10-26
Published