CVE-2015-8249
published 2017-09-28CVE-2015-8249: The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the…
PriorityP183critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
73.60%
99.4th percentile
The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the ConnectionId parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| manageengine | desktop_central | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to the FileUploadServlet endpoint containing a 'connectionId' parameter with null-byte (%00) and path traversal sequences (e.g., '../') targeting the /jspf/ directory. ↗
- →Monitor for unexpected .jsp file creation under the path C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\jspf\ as an indicator of successful exploitation. ↗
- →Check rdslog0.txt for anomalous FileUploadServlet debug entries, which are left behind as forensic artifacts after exploitation. ↗
- →Flag GET requests to /configurations.do on ManageEngine Desktop Central ports as potential pre-exploitation reconnaissance to enumerate the build number. ↗
- ·Default port varies by ManageEngine Desktop Central version; defenders should ensure detection rules cover both port 8020 (newer default) and port 8040 (older default). ↗
- ·The exploit payload uses a null-byte (%00) injection in the ConnectionId parameter to truncate the filename extension; WAF/IDS rules must handle URL-encoded null bytes to detect this technique. ↗
- ·Exploitation results in code execution as SYSTEM; any process spawned from the ManageEngine Desktop Central service after a suspicious upload should be treated as high-severity. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine Desktop Central 9 - FileUploadServlet ConnectionId (Metasploit)
exploitdb·2015-12-15
CVE-2015-8249 ManageEngine Desktop Central 9 - FileUploadServlet ConnectionId (Metasploit)
ManageEngine Desktop Central 9 - FileUploadServlet ConnectionId (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'nokogiri'
class Metasploit3 "ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in ManageEngine Desktop Central 9. When
uploading a 7z file, the FileUploadServlet class does not check the user-controlled
ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to
inject a null bye at the end of the value to create a malicious file with an arbitrary
file type, and then place it under a directory that allows server-side scripts t
Metasploit
ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability
metasploit
ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability
ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability
This module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null bye at the end of the value to create a malicious file with an arbitrary file type, and then place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM. Please note that by default, some ManageEngine Desktop Central versions run on port 8020, but older ones run on port 8040. Also, using this exploit will leave debugging information produced by FileUploadServlet in file rdslog0
No writeups or analysis indexed.
http://packetstormsecurity.com/files/134806/ManageEngine-Desktop-Central-9-FileUploadServlet-ConnectionId.htmlhttp://www.rapid7.com/db/modules/exploit/windows/http/manageengine_connectionid_writehttps://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249https://www.exploit-db.com/exploits/38982/http://packetstormsecurity.com/files/134806/ManageEngine-Desktop-Central-9-FileUploadServlet-ConnectionId.htmlhttp://www.rapid7.com/db/modules/exploit/windows/http/manageengine_connectionid_writehttps://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249https://www.exploit-db.com/exploits/38982/
2017-09-28
Published