ManageEngine Desktop Central AgentLogUploadServlet Arbitrary File Upload RCE (intrusive check)

This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a Java-based web application that is
affected by a remote code execution vulnerability.

Description :

The version of ManageEngine Desktop Central running on the remote host
is affected by a remote code execution vulnerability due to a failure
by the AgentLogUploadServlet script to properly sanitize user-supplied
input to the 'fileName' parameter. A remote, unauthenticated attacker
can exploit this to upload to the remote host files containing
arbitrary code and then execute them with NT-AUTHORITY\SYSTEM
privileges.

Note that this plugin tries to upload a JSP file to <DocumentRoot>
(i.e., C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\)
and then fetch it, thus executing the Java code in the JSP file. The
plugin attempts to delete the JSP file after a successful upload and
fetch. The user is advised to delete the JSP file if Nessus fails to
delete it.

See also :

http://www.nessus.org/u?f57da24d
http://seclists.org/fulldisclosure/2013/Nov/130
http://seclists.org/fulldisclosure/2013/Nov/152

Solution :

Upgrade to ManageEngine Desktop Central 8 build 80293 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 71217 ()

Bugtraq ID: 63784

CVE ID: CVE-2013-7390

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial