module

ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability

Try Surface Command
Back to search
Disclosed
12/14/2015
Created
05/30/2018

Description

This module exploits a vulnerability found in ManageEngine Desktop Central 9. When
uploading a 7z file, the FileUploadServlet class does not check the user-controlled
ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to
inject a null bye at the end of the value to create a malicious file with an arbitrary
file type, and then place it under a directory that allows server-side scripts to run,
which results in remote code execution under the context of SYSTEM.

Please note that by default, some ManageEngine Desktop Central versions run on port 8020,
but older ones run on port 8040. Also, using this exploit will leave debugging information
produced by FileUploadServlet in file rdslog0.txt.

This exploit was successfully tested on version 9, build 90109 and build 91084.

Author

sinn3r

Platform

Windows

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:

    msf > use exploit/windows/http/manageengine_connectionid_write
    msf /(e) > show actions
        ...actions...
    msf /(e) > set ACTION < action-name >
    msf /(e) > show options
        ...show and set options...
    msf /(e) > run
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today