Bugtraq mailing list archives
Re: [The ManageOwnage Series, part X]: 0-day administrator account creation in Desktop Central
From: Pedro Ribeiro <pedrib () gmail com>
Date: Mon, 5 Jan 2015 20:21:58 +0000
On 31 December 2014 at 02:17, Pedro Ribeiro <pedrib () gmail com> wrote:
Hi, This is part 10 of the ManageOwnage series. For previous parts, see [1]. This time we have a vulnerability that allows an unauthenticated user to create an administrator account, which can then be used to execute code on all devices managed by Desktop Central (desktops, servers, mobile devices, etc). An auxiliary Metasploit module that creates the administrator account has been released and its currently awaiting review [2]. I will leave to someone else the task of creating an exploit that executes code on all managed devices (it's not hard to write but testing it properly might take a fair few hours). I am releasing this as a 0 day as 112 days have elapsed since I first communicated the vulnerability to ManageEngine. I received many promises about getting updates but they were very evasive (a disclosure timeline is at the bottom of this email). The full advisory text is below, and a copy can be obtained from my repo [3]. Regards, Pedro
This vulnerability has now been fixed. Upgrade to version 9.0 build 90109 or later. I've updated the advisory in my repo. https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_admin.txt
Current thread:
- Re: [The ManageOwnage Series, part X]: 0-day administrator account creation in Desktop Central Pedro Ribeiro (Jan 06)