ManageEngine Desktop Central statusUpdate Arbitrary File Upload RCE (intrusive check)

critical Nessus Plugin ID 90193

Synopsis

The remote web server contains a Java-based web application that is affected by a remote code execution vulnerability.

Description

The ManageEngine Desktop Central application running on the remote host is affected by a flaw in the statusUpdate script due to a failure to properly sanitize user-supplied input to the 'fileName' parameter.
An unauthenticated, remote attacker can exploit this, via a crafted request to upload a JSP file that has multiple file extensions and by manipulating the 'applicationName' parameter, to make a direct request to the uploaded file, resulting in the execution of arbitrary code with NT-AUTHORITY\SYSTEM privileges.

Note that this plugin attempts to upload a JSP file to <DocumentRoot> (i.e., C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\) and then fetch it, thus executing the Java code in the JSP file. The plugin attempts to delete the JSP file after a successful upload and fetch. However, the user is advised to delete the JSP file if Nessus fails to delete it.

The application is reportedly also affected by an additional unspecified remote code execution vulnerability; however, Nessus has not tested for this issue.

Solution

Upgrade to ManageEngine Desktop Central version 9 build 91100 or later.

See Also

http://www.nessus.org/u?89099720

Plugin Details

Severity: Critical

ID: 90193

File Name: manageengine_desktop_central_91100_rce.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 3/25/2016

Updated: 11/19/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:zohocorp:manageengine_desktop_central

Required KB Items: installed_sw/ManageEngine Desktop Central

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 12/12/2015

Vulnerability Publication Date: 12/14/2015

Reference Information

CVE: CVE-2015-82001