CVE-2019-11448
published 2019-04-22CVE-2019-11448: An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due…
PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.43%
95.7th percentile
An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_applications_manager | 11.0 – 14.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to /jsp/Popup_SLA.jsp containing SQL metacharacters in the 'sid' parameter (e.g., semicolons, SQL keywords like COPY/SELECT), indicative of PostgreSQL stacked-query injection exploitation. ↗
- →Alert on unauthenticated POST requests to /jsp/Popup_SLA.jsp on port 8443 (SSL) from external sources — the exploit requires no prior authentication. ↗
- →Detect creation of unexpected .vbs files in ManageEngine AppManager installation directories (e.g., AppManager11–14 subdirectories), as the exploit writes a VBS-wrapped reverse shell payload to disk for execution by the application. ↗
- →Look for the VBS payload signature string 'WbemScripting.SWbemLocator' and 'MSXML2.DOMDocument' appearing in newly written .vbs files under ManageEngine directories, indicating a malicious exe-to-vbs converted payload. ↗
- →The exploit exfiltrates credentials by reading the AM_UserPasswordTable via SQL injection and serving the output as a .txt file; monitor for GET requests to randomly named .txt files on the ManageEngine web root shortly after POST exploitation attempts. ↗
- ·The exploit uses a 500-second WfsDelay because the ManageEngine application must itself execute the dropped .vbs file; detection based on immediate post-exploitation activity may miss the shell session due to this significant delay. ↗
- ·The SQL injection leverages PostgreSQL's COPY ... TO syntax to write files to disk; this technique is PostgreSQL-specific and will not function if ManageEngine is configured with a different backend database. ↗
- ·The check method uses a non-strict equality check (= instead of ==) when evaluating the HTTP response code, meaning the vulnerability check result ('Appears') may be unreliable and produce false positives. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/46725https://www.exploit-db.com/exploits/46725/https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11448.htmlhttps://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/46725https://www.exploit-db.com/exploits/46725/https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11448.html
2019-04-22
Published