CVE-2014-7862
published 2018-01-04CVE-2014-7862: The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator…
PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
81.05%
99.6th percentile
The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | desktop_central | < 90109 | 90109 |
| zohocorp | desktop_central | >= 7 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&[email protected]&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337↗
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ManageEngine Desktop Central Administrator Account Creation"; flow:established,to_server; http.uri; content:"/servlets/DCPluginServelet?"; nocase; content:"action=addPlugInUser"; nocase; content:"role="; nocase; content:"userName="; nocase; content:"email="; nocase; content:"password="; nocase; content:"salt="; nocase; reference:cve,CVE-2014-7862; reference:url,seclists.org/fulldisclosure/2015/Jan/2; classtype:trojan-activity; sid:2020092; rev:3; metadata:created_at 2015_01_05, signature_severity Major, updated_at 2020_05_14;)
- →Detect unauthenticated GET requests to /servlets/DCPluginServelet with the query parameter action=addPlugInUser, which indicates an attempt to create a rogue administrator account. No authentication or prior session is required by the attacker. ↗
- →Look for the combination of URI path /servlets/DCPluginServelet? with parameters role=, userName=, email=, password=, and salt= in a single HTTP request — all are present in the exploit payload.
- →A Metasploit auxiliary module exists for this vulnerability (modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb); presence of this module in use can be correlated with exploit attempts against the DCPluginServelet endpoint. ↗
- →All versions of ManageEngine Desktop Central and Desktop Central MSP from v7 up to (not including) build 90109 are affected. Identify unpatched instances by version/build number in asset inventory. ↗
- ·The exploit requires no authentication whatsoever — it is a single unauthenticated GET request, making it trivially exploitable from any network with access to the Desktop Central web interface. ↗
- ·Successful exploitation immediately grants full administrator access to Desktop Central, enabling code execution on ALL managed devices (servers, laptops, desktops, smartphones, tablets). ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8646-8cww-px2p: The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrato
ghsa_unreviewed·2022-05-14
CVE-2014-7862 [CRITICAL] GHSA-8646-8cww-px2p: The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrato
The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action.
Red Hat
kernel: can: bcm: Fix UAF in bcm_proc_show()
vendor_redhat·2024-11-28·CVSS 7.8
CVE-2023-52922 [HIGH] CWE-416 kernel: can: bcm: Fix UAF in bcm_proc_show()
kernel: can: bcm: Fix UAF in bcm_proc_show()
In the Linux kernel, the following vulnerability has been resolved:
can: bcm: Fix UAF in bcm_proc_show()
BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80
Read of size 8 at addr ffff888155846230 by task cat/7862
CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0xd5/0x150
print_report+0xc1/0x5e0
kasan_report+0xba/0xf0
bcm_proc_show+0x969/0xa80
seq_read_iter+0x4f6/0x1260
seq_read+0x165/0x210
proc_reg_read+0x227/0x300
vfs_read+0x1d5/0x8d0
ksys_read+0x11e/0x240
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Allocated by task 7846:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
__kasa
Suricata
ET WEB_SPECIFIC_APPS ManageEngine Desktop Central Administrator Account Creation
suricata·2015-01-05·CVSS 9.8
CVE-2014-7862 [CRITICAL] ET WEB_SPECIFIC_APPS ManageEngine Desktop Central Administrator Account Creation
ET WEB_SPECIFIC_APPS ManageEngine Desktop Central Administrator Account Creation
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ManageEngine Desktop Central Administrator Account Creation"; flow:established,to_server; http.uri; content:"/servlets/DCPluginServelet?"; nocase; content:"action=addPlugInUser"; nocase; content:"role="; nocase; content:"userName="; nocase; content:"email="; nocase; content:"password="; nocase; content:"salt="; nocase; reference:cve,CVE-2014-7862; reference:url,seclists.org/fulldisclosure/2015/Jan/2; classtype:trojan-activity; sid:2020092; rev:3; metadata:created_at 2015_01_05, signature_severity Major, updated_at 2020_05_14;)
Exploit-DB
ManageEngine Desktop Central - Create Administrator
exploitdb·2015-01-15·CVSS 9.8
CVE-2014-7862 [CRITICAL] ManageEngine Desktop Central - Create Administrator
ManageEngine Desktop Central - Create Administrator
---
>> Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 31/12/2014 / Last updated: 05/01/2015
>> Background on the affected product:
"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more."
This vulnerability is being released as
Metasploit
ManageEngine Desktop Central Administrator Account Creation
metasploit
ManageEngine Desktop Central Administrator Account Creation
ManageEngine Desktop Central Administrator Account Creation
This module exploits an administrator account creation vulnerability in Desktop Central from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in several versions of Desktop Central (including MSP) from v7 onwards.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/129769/Desktop-Central-Add-Administrator.htmlhttp://seclists.org/fulldisclosure/2015/Jan/2http://www.securityfocus.com/archive/1/534356/100/0/threadedhttp://www.securityfocus.com/bid/71849https://exchange.xforce.ibmcloud.com/vulnerabilities/99595https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txthttps://www.manageengine.com/products/desktop-central/cve20147862-unauthorized-account-creation.htmlhttps://www.rapid7.com/db/modules/auxiliary/admin/http/manage_engine_dc_create_adminhttp://packetstormsecurity.com/files/129769/Desktop-Central-Add-Administrator.htmlhttp://seclists.org/fulldisclosure/2015/Jan/2http://www.securityfocus.com/archive/1/534356/100/0/threadedhttp://www.securityfocus.com/bid/71849https://exchange.xforce.ibmcloud.com/vulnerabilities/99595https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txthttps://www.manageengine.com/products/desktop-central/cve20147862-unauthorized-account-creation.htmlhttps://www.rapid7.com/db/modules/auxiliary/admin/http/manage_engine_dc_create_admin
2018-01-04
Published