Skip to navigation Skip to main content Skip to footer

Technical Advisory: Multiple Vulnerabilities in ManageEngine Desktop Central

Vendor: ManageEngine

Vendor URL: https://www.manageengine.com/products/desktop-central/

Versions affected: 10.0.124 and 10.0.184 verified, all versions <= 10.0.184 suspected

Systems Affected: All

Author: Ben Lincoln

Advisory URLs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5337, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5338, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5339, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5340, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5341, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5342

Risk: Critical (unauthenticated remote code execution)

Summary

Desktop Central is integrated desktop and mobile device management software that helps in managing servers, laptops, desktops, smartphones, and tablets from a central location.

Desktop Central 10.0.124, 10.0.184, and likely other versions of the product contain multiple vulnerabilities which can be combined to achieve remote code execution as the NT AUTHORITYSYSTEM account on the server which hosts the web interface:

  1. Missing authentication/authorization on a database query mechanism (CVE-2018-5338).
  2. Insufficient enforcement of database query type restrictions (CVE-2018-5339).
  3. Missing server side check on file type/extension when uploading and modifying scripts (CVE-2018-5341).
  4. Directory traversal in SCRIPT_NAME field when modifying existing scripts (CVE-2018-5337).
  5. Network services (Desktop Central and PostgreSQL) running as a superuser account (CVE-2018-5342).
  6. Database access using a superuser account (specifically, an account with permission to write to the filesystem via SQL queries) (CVE-2018-5340).

CVE-2018-5338 was addressed by the vendor in Desktop Central build 10.0.198, and CVE-2018-5339 was partially addressed in the same build.

CVE-2018-5337 and CVE-2018-5341 were addressed by the vendor in Desktop Central build 10.0.208.
ManageEngine have elected not to address CVE-2018-5340 or CVE-2018-5342.

Location

The following URIs within the web interface to the product:

  • /inventoryScript.do
  • /jsp/admin/DBQueryExecutor.jsp

Impact

An attacker with network connectivity to the web interface may issue arbitrary SQL queries against the application database without providing any sort of credentials. Among other capabilities, this allows them to write arbitrary files to the server’s filesystem, or create an administrative account within Desktop Central. This effectively provides control over systems which are managed by Desktop Central, as the attacker may execute custom packages on those systems from the Desktop Central console.

Two additional flaws permit the attacker to then log on and upload arbitrary files to the server, placing them in arbitrary locations – including web-accessible directories. By uploading a malicious JSP file using either of these techniques, it is possible to achieve remote code execution on the server. In the default configuration, this code execution takes place in the context of the NT AUTHORITYSYSTEM account, granting unrestricted access to the server.

Details

The unauthenticated database query capability can be verified by accessing the following URI on the Desktop Central server using a standard web browser:

/jsp/admin/DBQueryExecutor.jsp?actionFrom=getResult query=SELECT%20*%20from%20aaauser;

For example, if the web interface is hosted on port 8020 of desktopcentral.vulnerable.local, the full URL would be:

http://desktopcentral.vulnerable.local:8020/jsp/admin/DBQueryExecutor.jsp?actionFrom=getResult query=SELECT%20*%20from%20aaauser;

Note that attempting to submit a query using the web form will fail, because it redirects to a URI which requires authentication. Queries must be submitted as a GET request in order to exploit the vulnerability.

Queries issued in this manner execute in the context of the postgres database account, which has system administrator access to the PostgreSQL instance included with Desktop Central. By executing a series of statements, it is possible to create a new account with a password known to the attacker, and grant it administrative access to Desktop Central.

The database system administrator permissions permit an attacker to use the PostgreSQL COPY … TO syntax to write a malicious JSP to a web-accessible location within the server’s filesystem. This provides one option for unauthenticated remote code execution on the server.

If the database configuration has been customized to remove the system administrator permissions, it is still possible to achieve OS-level code execution via a lengthier series of steps, related to the other vulnerabilities in the product.

Once the attacker has created a new Desktop Central account with administrative access, they may log into the web interface and create a custom script. Typically scripts are executed on managed systems, and are restricted to certain file extensions. Due to missing checks within the application, it is possible to rename an uploaded file so that it has a JSP extension, then access it using a browser.  

Recommendation

Users of Desktop Central should upgrade to build 10.0.208 or later.

The following recommendations were sent to ManageEngine along with the original vulnerability notification:

  • Ensure that all application functionality can only be accessed after authenticating successfully, and after authorization checks have verified that the user has permission to perform the action in question.
  • Use server-side checks to ensure that only supported script types are uploaded. The version of the application encountered by NCC Group performs a client-side check using JavaScript, which is easily bypassed using the technique described above.
  • Canonicalize all file paths submitted in client requests, and ensure that they are within the intended directory, as opposed to traversing outside that location.
  • Consider storing uploaded scripts in the database instead of the server filesystem.
  • Configure network services to run as accounts with the least necessary privileges necessary for them to function.
  • Configure the web application to access the database using an account with the least necessary privileges for it to function.
  • If an arbitrary SQL query interface is required, configure it to use a separate database account which only holds read access to the database. Ensure that the account does not have permission to write to the server’s filesystem.

Vendor Communication

2018-01-10 @ 17:13 Pacific - Submitted report via ManageEngine's online form
2018-01-10 @ 17:27 Pacific - Received automated response indicating submission received
2018-01-10 @ 19:37 Pacific - Received written reply from ManageEngine confirming receipt
2018-01-10 @ 23:53 Pacific - Received six reserved CVEs from MITRE
2018-01-11 @ 10:34 Pacific - Replied to ManageEngine with CVE numbers
2018-01-16 @ 11:21 Pacific - Requested confirmation from ManageEngine of ability to reproduce
issues
2018-01-18 @ 07:15 Pacific - Received written reply confirming that ManageEngine was working
on a fix, but disputing CVE-2018-5342 (service running as NT AUTHORITYSYSTEM)
2018-01-18 @ 10:05 Pacific - Sent ManageEngine some additional references regarding
least-privilege designs and best practices
2018-01-31 @ 02:23 Pacific - ManageEngine acknowledges receipt of least-privilege references
2018-02-12 @ 12:51 Pacific - Requested an ETA from ManageEngine
2018-02-13 @ 03:19 Pacific - ManageEngine indicates that all issues except CVE-2018-5342 have
been fixed and the changes are in testing. An estimate of a "couple of weeks" is given
for releasing the updated version
2018-03-05 @ 07:36 Pacific - ManageEngine indicates that build 10.0.183 contains fixes for all
issues except CVE-2018-5342.
2018-03-05 @ 10:45 Pacific - NCC Group requests clarification as the version tested against is
10.0.184, and the patch installer does not permit downgrading to 10.0.183.
2018-03-06 @ 14:21 Pacific - NCC Group notifies ManageEngine that the fixes are incomplete in
build 10.0.198, which is available in full install form, although not as a patch.
2018-03-06 @ 23:45 Pacific - ManageEngine provides NCC Group with a PGP key for encrypting the
additional details.
2018-03-07 @ 09:37 Pacific - Details sent to ManageEngine.
2018-03-08 @ 08:20 Pacific - ManageEngine denies that directory traversal is still possible,
requests additional information on CVE-2018-5339.
2018-03-08 @ 11:15 Pacific - NCC Group provides screenshots of successful directory traversal
and examples of SELECT queries which will modify the database and/or log files.
2018-03-19 @ 04:39 Pacific - ManageEngine notifies NCC Group that build 10.0.208 has been
released with additional fixes.
2018-03-22 @ 12:34 Pacific - NCC Group confirms that the directory-traversal attack and
file-extension bypasses described above are no longer effective against build
10.0.208.

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cyber security.

Written by:  Ben Lincoln