[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVE-2014-9331] ManageEngine Desktop Central CSRF vulnerability to add an Admin user advisory
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [CVE-2014-9331] ManageEngine Desktop Central CSRF vulnerability to add an Admin user advisory
- From: mohamed.idris@xxxxxxxxxx
- Date: Mon, 2 Feb 2015 21:44:43 GMT
#####################################
Title:- Cross-Site Request Forgery (CSRF) Vulnerability in ManageEngine Desktop
Central 9 Allows adding an Admin User
Author: Mohamed Idris - Help AG Middle East
Vendor: ZOHO Corp
Advisory ID: hag20141205
Product: ManageEngine Desktop Central 9
Version: All versions below build 90121
Tested Version: Version 9 Build 90087
Severity: HIGH
CVE Reference: CVE-2014-9331
Fix Link:
http://www.manageengine.com/products/desktop-central/cve20149331-cross-site-request-forgery.html
# About the Product:
Desktop Central is an integrated desktop & mobile device management software
that helps in managing the servers, laptops, desktops, smartphones and tablets
from a central point.
It automates your regular desktop management routines like installing patches,
distributing software, managing your IT Assets, managing software licenses,
monitoring software usage statistics, managing USB device usage, taking control
of remote desktops, and more. It supports managing both Windows and Mac
operating systems.
# Description:
This Cross-Site Request Forgery vulnerability enables an anonymous attacker to
add an admin account into the application. This leads to compromising the whole
domain as the application normally uses privileged domain account to perform
administration tasks.
# Vulnerability Class:
Cross-Site Request Forgery (CSRF) -
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
# How to Reproduce: (POC):
Host the attached code in a webserver. Then send the link to the application
Admin. The admin should be loggedin when he clicks on the link.
You can entice him to do that by using social engineering techniques ;)
Say for example: Log into the application and click the following link to get
free licenses
# Disclosure:
Discovered: December 05, 2014
Vendor Notification: December 08, 2014
Advisory Publication: January 31, 2015
Public Disclosure: January 31, 2015
# Affected Targets:
All Desktop Central versions below build 90130. On all platforms (Actually
platform doesn't affect the issue).
# Solution:
Upgrade to Build 90130 will fix this issue.
The update can be found at the following link:
http://www.manageengine.com/products/desktop-central/cve20149331-cross-site-request-forgery.html
# credits:
Mohamed Idris
Senior Information Security Analyst and Team Leader
Help AG Middle East
# Proof of Concept Video:
https://www.youtube.com/watch?v=MRIZy7EBSF8
# Proof of Concept Code:
https://raw.githubusercontent.com/moha99sa/ManageEngine-Desktop-Central-CSRF/master/README.md
#References:
[1] help AG middle East http://www.helpag.com/.
[2] http://www.manageengine.com/products/desktop-central/
[3]
http://www.manageengine.com/products/desktop-central/cve20149331-cross-site-request-forgery.html
[4] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
[5] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ -
international in scope and free for public use, CVE® is a dictionary of
publicly known information security vulnerabilities and exposures.